In summer 2018, a data breach affected almost 400,000 customers of British Airways, of which almost 250,000 had their names, addresses, credit card numbers and CVV codes stolen.
On June 22, 2018, an attacker gained access to British Airways Network by means of compromised credentials from an employee of Swissport, a third party cargo handler.
On 26 July 2018, the attacker found plain text files, containing payment card details for BA redemption transactions.
The ICO's report highlighted this as follows: The logging and storing of these card details (including, in most cases, CVV codes) was not an intended design feature of BA's systems and was not required for any particular business purpose.
BA has explained that this card data was being stored in plaintext (as opposed to in encrypted form) as a result of human error.
[4] British Airways urged customers to contact their banks or credit card issuer and to follow their advice.
[5] In 2021 the law firm Pogust and Goodhead announced that they were representing a group of BA customers who had been affected by the breach in "the largest group-action personal-data claim in UK history".