<img height="1" width="1" style="display:none" src="https://www.facebook.com/tr?id=1678611822423757&amp;ev=PageView&amp;noscript=1">

Did British Airways Violate the GDPR?

Greg Mooney| September 19 2018

| security, GDPR, Compliance


Companies around the world have anxiously awaited who will be made an example of under the new GDPR regulations. Under GDPR, entities who violate the regulations are on the hook for stringent fines and civil lawsuits.

The GDPR has been in place since May 25, 2018, and many businesses had been preparing for the new rules to be enacted for months, if not years. There are even many businesses that are still running to catch up in case of a data breach or potential audit exposes them. However, there have been many details about the GDPR that have yet to be ironed out. That being said, that doesn’t excuse any entity handling and processing the personal data of residents of the EU from complying with the legislation.

Who Will Be Made An Example Of Under GDPR?

It has been known for some time that the effectiveness of the GDPR would ultimately be determined by the investigations and lawsuits against the first businesses caught violating it. Now, we may have the first major company found guilty of violating the GDPR: British Airways.

It’s no surprise that the first major company to violate the GDPR and get media attention would come from the airline industry. The airline industry has been a spectacle of poor cybersecurity for years now. The industry notoriously runs on small profit margins therefore data security is not top-of-mind for executives.

As noted by past employees and security professionals, there are systems in place at airlines that are over 30 years old, and these systems are connected to much newer web services. Legacy systems, especially ones that process the personal data of customers continue to be the crux of the airline industry.

For the airlines, it’s always about the bottom line, but now their hands are being forced to take the matter of information security more seriously.

Learn how California's new privacy laws affect your business. Download our free  CCPA guide.

Will the EU Take Aim at British Airways for GDPR Noncompliance?

Just this month, British Airways fell victim to a massive data breach in which 380,000 transactions were affected. The data breached included financial details of customers who had transactions with the airline between August and September 2018.

Enforcing the penalties of data breaches is exactly why the GDPR was enacted. All companies that operate within the confines of the EU are now on the hook and will be investigated for their actions (or lack thereof) in the wake of any compromise of personal data. Since violating the GDPR can cost a company upwards of 4% of annual turnover, the price to pay can be massive—with the possibility of breaking a company financially. For a business as big as BA, this may only result in a glancing blow, but small to mid-sized companies may not be so lucky in the wake of a breach.

As for BA, they reported the breach as quickly as possible and even went as far as to place ads in newspapers to increase the visibility of the issue. This behavior by a business is a commendable response and this step may not trigger an investigation by officials under the GDPR. However, there is evidence that BA knew that their web applications were not entirely secure as far back as year ago. This would and should trigger an intense investigation. At the very least, this is an opportunity to prove the effectiveness of the GDPR.

Related: Breaking Down The GDPR's Data Protection Principles, Part 2 - Purpose Limitation And Data Minimization

Could British Airways Have Avoided Scrutiny?

All that most businesses can do is watch and see how BA will be made an example of under GDPR. If that happens and how that happens is yet to be seen.

The fact of the matter is that BA is not alone when it comes to this type of data breach. Delta Airlines suffered a similar breach back in April. So did TicketMaster UK. Delta Airlines and TicketMaster UK may both have been penalized for GDPR noncompliance if that GDPR had been enacted at the time. 


GDPR poses a challenge to companies that use personal data to improve the customer experience. Check out our guide to GDPR principles, and see how this EU legislation is changing how information is stored and used.

It turns out that many of these data breaches are happening due to 3rd party scripts being used to run the e-commerce on websites that collect payment information. In this case, Magecart hackers seem to be the culprit based on past evidence on similar web-based card skimmers.

RiskIQ has been reporting on the use of these type of supply chain attacks for some time now. You can see their full analysis of the BA incident here.

Should Companies Be Using 3rd Party Scripts On Their Website?

Using 3rd party code, scripts, tools, or plugins on websites is a great way to increase the speed of development. It’s a common practice and provides many benefits, but when implementing any 3rd party code, especially on websites that are processing and handling personal data, businesses need to be extra careful. For a web developer it makes life easier since they don’t have to write and test their own code. But many use 3rd party scripts and plugins that haven’t been updated in ages or aren’t even supported anymore.

So should you avoid 3rd party scripts altogether? It really depends on the application, but since more and more supply chain attacks are taking place when it comes to these tools and scripts, it may make sense to be extra sure those scripts are secure. Specifically, free and open source tools are great and help stay under budget, but maybe if you are developing a site that is processing personal data, it would be smart to instead work with a vendor that regularly updates their code and plugins.

All we can do at this point is observe how the Supervisory Authorities approach the BA data breach, but that doesn’t mean we can’t cover all our own bases in the meantime.

Topics: security, GDPR, Compliance

Leave a Reply

Your email address will not be published. Required fields are marked *


Greg is a technologist and data geek with over 10 years in tech. He has worked in a variety of industries as an IT manager and software tester. Greg is an avid writer on everything IT related, from cyber security to troubleshooting.

Free Trials

Getting started has never been easier. Download a trial today.

Download Free Trials

Contact Us

Let us know how we can help you. Focus on what matters. 

Send us a note

Subscribe to our Blog

Let’s stay in touch! Register to receive our blog updates.