Between 21 August and 5 September 2018, a Magecart Group 6 skimmer silently exfiltrated payment card details from approximately 500,000 British Airways customers who purchased tickets online or via mobile app. The skimmer was injected through a compromised Modernizr JavaScript library served from BA’s own infrastructure after the attackers gained access to BA’s network. Customer names, billing addresses, email addresses, and full payment card details including CVV codes were exfiltrated to the attacker-controlled domain baways.com. BA detected the breach on 5 September 2018 and publicly disclosed it on 6 September. The UK ICO investigated and issued a £183.39 million fine (subsequently reduced to £20 million due to COVID-19 economic considerations) — at the time the largest GDPR fine ever issued, equivalent to 1.5% of BA’s global annual turnover. The attack was attributed to FIN6/Magecart Group 6 based on shared infrastructure and tactics. This was one of the first and most prominent GDPR enforcement actions, establishing that payment card skimming via web-injection constitutes a major personal data breach subject to GDPR Article 33 notification obligations within 72 hours.