A threat actor calling itself the Infrastructure Destruction Squad has publicly claimed responsibility for a breach of British Airways, alleging the theft of medical records, crew rosters, and pilot information. The group announced the intrusion on its Telegram channel on 15 May 2026, asserting it accessed the airline's internal Crew Portal via a compromised user account and pivoted into medical servers and a connected AI analytics platform. British Airways has not publicly acknowledged the claims at the time of writing.

What Happened

According to messages posted to the group's Telegram, Infrastructure Destruction Squad gained entry to British Airways' Crew Portal, the internal application used by cabin crew and pilots to manage rosters, sick leave, and personal records. The attackers say they leveraged a compromised account belonging to an individual employee, then escalated to the admin control panel. From that foothold, they claim to have reached medical servers holding "highly sensitive information" on flight crew. The intrusion also reportedly extended to Cognino AI 360, an AI-driven data analysis and knowledge management platform connected to the airline's environment, where the actors say they exposed login interfaces, email addresses, and API keys tied to insurance and financial services integrations.

What Was Taken

The actor's claims describe four distinct categories of stolen data:

• Medical records from internal medical servers, covering crew health information.
• Crew Portal data including pilot and cabin crew schedules, sick leave records, and personal details.
• Administrative access artefacts from the Crew Portal admin control panel.
• Cognino AI 360 secrets, including email addresses and API keys for insurance and financial services partners.

The full volume of records has not been disclosed by the group, and no public sample has been independently verified at this stage.

Why It Matters

Aviation crew data is uniquely sensitive. Pilot medical certifications, sick leave histories, and roster information can be weaponised for targeted social engineering, blackmail, or operational disruption of flight schedules. The alleged exposure of API keys for insurance and financial services integrations is particularly concerning: if valid, those credentials could enable downstream supply chain attacks against partner organisations long after the airline itself has rotated keys. This is also not British Airways' first major exposure incident. The carrier was caught up in the 2023 MOVEit supply chain campaign run by the Cl0p ransomware operation, underscoring a recurring pattern in which the airline's data perimeter extends through third-party platforms and shared infrastructure.

The Attack Technique

Infrastructure Destruction Squad attributes the intrusion to a single compromised user account, which the group says provided initial access to the Crew Portal. From there, they describe escalation into the admin control panel, suggesting either weak privilege separation between staff and administrative roles, missing multi-factor authentication on a privileged path, or a flaw that allowed horizontal-to-vertical privilege movement. Lateral pivot from the Crew Portal into medical servers and the Cognino AI 360 platform indicates flat or insufficiently segmented internal trust between the crew-facing application and adjacent sensitive systems. The presence of API keys for external financial and insurance partners inside the AI platform points to a recurring secrets management problem: credentials stored in knowledge bases rather than dedicated vaults.

What Organizations Should Do

1. Enforce phishing-resistant MFA on every administrative path, not just the front-door login. Admin control panels reached after initial authentication are a common gap.
2. Audit and rotate API keys held in AI and knowledge management platforms. Treat any LLM or analytics tool as a high-value secrets store and migrate credentials to a managed vault.
3. Segment crew and operational portals from medical, HR, and finance systems. A compromised scheduling account should not reach health data.
4. Hunt for compromised single-employee accounts through impossible-travel, anomalous session, and unusual admin-panel access telemetry.
5. Review third-party AI platform configurations such as Cognino AI 360 for exposed login pages, default credentials, and over-privileged service accounts.
6. Prepare a crew and regulator communications plan in advance. Aviation incidents involving medical data carry both data protection and safety regulator obligations under UK GDPR and CAA oversight.

Sources: British Airways allegedly breached as hackers claim to have stolen pilot data