← All breach guides

British Airways data breach — exercise your GDPR rights

In 2018, attackers injected malicious JavaScript into the British Airways booking website and app, silently skimming payment card details from customers as they completed purchases. Up to 500,000 customers were affected over roughly two months. The UK ICO fined British Airways £20 million for failing to implement adequate security measures.

⚖️ Regulatory action: British Airways was fined £20 million by the UK ICO in October 2020 for failing to implement appropriate security measures under Article 32 GDPR. The ICO had initially announced an intention to fine £183.39 million.

What happened

2018 Up to 500,000 customers affected

The Magecart group injected malicious code into a JavaScript library on the BA website and app. The code harvested names, billing addresses, and full payment card details — including CVV numbers — in real time as customers made bookings, forwarding data to an attacker-controlled server. The attack ran from 21 August to 5 September 2018 before discovery.

Data exposed:
  • Full names
  • Billing addresses
  • Email addresses
  • Payment card numbers
  • Card expiry dates
  • CVV numbers

What you can do

If you booked a flight on ba.com or the BA app during August–September 2018, your payment details were almost certainly skimmed. A GDPR subject access request confirms what data British Airways holds, how it was handled, and whether it was shared — giving you the evidence base to pursue compensation if your data was misused.

You have two key rights under GDPR:

Note: British Airways Plc is the data controller. Address requests to the Data Protection Officer. Privacy portal ↗

Generate your access request

This letter is pre-addressed to British Airways Plc, the official EU data controller for British Airways.

To: British Airways Plc
Waterside (HCB3), PO Box 365, Harmondsworth, UB7 0GB, United Kingdom

Dear Data Protection Officer,

I am writing to exercise my rights under the General Data Protection Regulation (GDPR). As an individual whose personal data you process, I am requesting the following information:

  1. Confirmation that you are processing my personal data.
  2. A copy of my personal data.
  3. The purposes of the processing.
  4. The categories of personal data concerned.
  5. The recipients or categories of recipients to whom my personal data has been or will be disclosed.
  6. The envisaged period for which my personal data will be stored, or the criteria used to determine that period.
  7. The existence of my right to request rectification or erasure of my personal data, or restriction of processing, or to object to such processing.
  8. Information about the source of my personal data if it was not collected directly from me.
  9. The existence of automated decision-making, including profiling, and meaningful information about the logic involved.

Below is my information for your reference:

Name:
Email:
Address:

This request is of utmost importance to me and should not be ignored. The GDPR mandates that you respond within one month. Failure to comply may result in further action being taken.

Thank you for your prompt attention to this matter.

Sincerely,

Text copied to clipboard

1. Copy and send this letter to the data controller of the organisation.

2. Follow up until you hear back. The GDPR requires a response within one month.

3. No response? Lodge a complaint with your local data protection authority.

No response after one month? File a complaint with your DPA →

Select your country to find your data protection authority:

Share: