Security News > 2020 > October > British Airways fined £20m for Magecart hack that exposed 400k folks' credit card details to crooks
British Airways is to pay a £20m data protection fine after its 2018 Magecart hack - even though the Information Commissioner's Office discovered the airline had been saving credit card details in plain text since 2015.
It also condemned BA's claims during fine negotiations that credit card data breaches are "An entirely commonplace phenomenon" and "An unavoidable fact of life".
People's credit and debit card details were stolen as a result.
Alarmingly, the ICO's redacted fine notice published today revealed not only that the airline was compromised through a Citrix vulnerability but that it had been saving card details without any encryption at all - a huge no-no.
The ICO said: "The logging and storing of these card details was not an intended design feature of BA's systems it was a testing feature that was only intended to operate when the systems were not live, but which was left activated when the systems went live." Those logs were stored for three months.
News URL
https://go.theregister.com/feed/www.theregister.com/2020/10/16/british_airways_ico_fine_20m/