There's an interesting side story to this detailed in this months PC Pro magazine.
- Just over a month before the breach, a customer (an internet security expert) tried to check-in online. This kept failing.
- On investigation, he found the reason was because he had an ad-blocker. He inspected the site and found his data was being sent to various data aggregators, despite him having opt-ed out of sharing his data.
- He complained to Customer Services, who said "clear your cache and cookies, or check-in at the airport". This was obviously too late has his data had been already shared.
- So, he wrote to the BA compliance officer (Jonathan Stiff) explaining that they were breaking GDPR rules.
- Exactly 30 days later (the maximum time allowed for BA to respond), he received a reply saying that what he'd reported wasn't correct, and there were no issues with the check-in process.
- He checked again, and sure enough, all the tracking stuff had gone, and was then able to use online check-in again.
- The date of this interaction? The very day the data breach began...
So, it is being suggested that BA realised they were not in compliance with GDPR, and quickly covered their tracks - and lied to the guy who'd reported it. In doing so, they also managed to lave something open that allowed the rogue script to be deployed onto their live service.
I really do hope they get hammered...
ETA - Grrrr, why doesn't formatting work correctly anymore on FT?