The recent data hack affecting British Airways customers, could prove very costly for the airline, who will be subject to the recently implemented GDPR.


It is not yet clear how, but hackers were able to access name, email address and credit card information being used on the British Airways website and app. Of most concern, is that they also managed to obtain CVV numbers (the 3 digits from the back of the card) which BA insists is not stored on their databases. It is therefore likely that the card details have been intercepted.

As a result, the hackers were able to obtain personal information of 380,000 transactions.

British Airways boss, Alex Cruz, said hackers carried out a "sophisticated, malicious criminal attack" on its website, and that "We are committed to working with any customer who may have been financially affected by this attack, and we will compensate them for any financial hardship that they may have suffered."


The 25th May 2018, saw the implementation of the General Data Protection Regulation, which provides a much better framework for data protection, stipulating that companies must take measures to protect the personal information they hold, and notify authorities of any data breaches within 72 hours.

The purpose of the GDPR is to protect personal data, but any size company can hacked, so it will be up to the Information Commissioners Office to establish if British Airways were at fault.

The ICO is currently investigating the breach. If it determines that not enough was done to protect the data, the GDPR  fines can be up to 4% of annual global revenue. For BA this could be a potential maximum fine of £489m.

The world is watching, to see if an example is made of this case, which will set the standard for future breaches, in the era of the GDPR.