British Airways Data Breach – A case study in IP Risk Management

The airline British Airways has been fined £20m by the UK’s Information Commissioner’s Office (ICO) for a data breach that affected more than 400,000 customers. The data breach took place in 2018 and affected both personal and credit card data. The data stolen included log-in, payment card and travel booking details as well as the name and address information.

The fine of £20m is considerably smaller than the £183m that the ICO originally said it intended to issue back in 2019. However, it is the largest penalty issued by the ICO to date.

Not just a GDPR case study

Almost all articles and papers wrote about this particular data breach, the subsequent investigation, and fine focus on GDPR and paint this incident as fascinating data, data privacy, and data breach case study. However, I would argue that it is also a fascinating IP, IP risk, and IP risk management case study and that this particular incident has lessons for many working in the IP sector, particularly in-house IP functions and IP Law Firms advising their operating company clients. Allow me to explain why.

IP related risks

The criminal masterminds behind this data breach basically leveraged known risks associated with one particular IP model and one form of IP to carry out their attack.

Firstly, they clearly understood open-source software (an IP model), exploiting a known vulnerability in Modernizr, a JavaScript library that detects the features available in a user’s browser.

Secondly, they clearly understood about domain names (a form of IP), establishing a fake web site at ‘’, a similar-sounding domain name to the official British Airways’ one, but out of the control of the airline.

I suggest that the criminal masterminds behind this data breach were IP experts.

British Airways and IP Management

Most of the news articles on this British Airways data breach talk about the company conducting a thorough cybersecurity investigation when they became aware of the data breach. British Airways have stated that they have made improvements to the security of its IT systems since the attack. However, what about its approach to IP, IP management, and especially IP risk management? As part of its investigation, did British Airways quiz its IP folks about what they were doing prior to the data breach? Did British Airways pose the following questions to its in-house IP function (and/or their external IP Law Firm advisors):

Q1/ Does British Airways have a robust IP risk management process in place? If not, why not?

Q2/ Does it have a fit for purpose IP risk management system in use? If not, why not?

Q3/ Given that open source software is an IP model, what kind of attention were the BA IP folks paying to this particular aspect of IP?

Q4/ How were the BA IP folks managing and mitigating open source software and the associated risks from an IP perspective? If such risks were not being managed, why not?

Q5/ How were the IP folks managing domain names at British Airways?

Q6/ More importantly, how were they managing and mitigating the risks associated with domain names. If such risks were not being managed, why not?

Q7/ If and when the IP folks at British Airways provide IP management reports to the C-Suite Executives at the airline, is there any mention in these reports of open source software (and the associated risks) and/or domain names (and the associated risks) within these reports? If these issues are not mentioned in any such reports, why not?

The really scary thing

Although this article focuses on British Airways, the really scary thing about this story is that British Airways in far from unique in embracing open source software and in using domain names. Many other companies are doing the exact same.

Yet how many corporate in-house IP functions are properly and professionally logging and tracking the known risks associated with this particular IP model (i.e. open source software) and this particular form of IP (i.e. domain names), and mitigating these risks in an efficient and effective manner?

How many corporate in-house IP functions have a robust IP risk management process in place and a fit for purpose IP risk management system in use? Unfortunately, not many.

Donal O’Connell, IPEG consultant.