Summary

  • On Saturday 27 May 2017, British Airways reported a major IT systems failure, said there was no evidence of a cyberattack, and cancelled all remaining departures from Heathrow and Gatwick. The airline later described the initiating problem as a power failure at its primary data centre. Its later securities disclosure says the May loss of IT services caused more than 500 flight cancellations; widely reported operational estimates put the number of affected passengers at about 75,000.
  • The public company account changed in resolution as the incident unfolded. It moved from a generic power-supply issue, to a damaging return of power and communications-hardware failure, and then to IAG chief executive Willie Walsh's statement that an engineer had disconnected an uninterruptible power supply and restored power in an uncontrolled way. These are attributable company accounts, not a published independent forensic report. This article does not present an individual's action, employer or precise electrical sequence as independently confirmed fact.
  • The trigger can be stated conservatively: interruption of power to the primary data centre. The technical root cause, at the level the published corporate record supports, was failure to keep critical IT services available through that power event and restoration. Contributing conditions included ineffective continuity across power, communications, application dependencies and alternate processing. The detailed protection topology, switching state, damage mechanism, failover criteria and recovery runbook remain unknown publicly.
  • The outage did not merely remove a website. BA said communications hardware and messaging across roughly 200 systems were affected. Contemporary operational reporting recorded failures or severe impairment in check-in, operations planning, customer channels and baggage processing. Aircraft, crews, airport stands, bags and passengers then fell out of sequence, so restoring servers could not immediately restore a viable flight schedule.
  • Gatwick recovered faster than Heathrow. BA expected a near-normal Gatwick operation on 28 May while Heathrow retained substantial cancellations and delays. By 29 May the airline was operating most services, but it was still moving stranded passengers and delayed bags. The difference is evidence that recovery depended on local schedule, capacity, aircraft and passenger state as well as technical service restoration.
  • Outage causation and passenger-care compliance are separate questions. Regulation (EC) 261/2004 required refund or rerouting, care during qualifying waits, information on rights and, where its conditions were met, fixed compensation. Even extraordinary circumstances can remove fixed compensation only in defined cases; they do not erase duties of care. No conclusion about the electrical cause by itself proves or disproves compliance for a particular passenger.
  • CAA correspondence after the event is stronger evidence than generalized reports of airport disorder. BA acknowledged its rerouting obligation, agreed that many customers could not be rebooked by it, said it would pay Regulation 261 expenses regardless of travel insurance, agreed to change relevant website wording, and said it would pay fixed compensation where due. The CAA sought more detail on earliest-opportunity rerouting, other carriers, transfer costs, rights leaflets and complaint capacity. The correspondence documents live regulatory scrutiny, not a court judgment that every claim was handled correctly or incorrectly.
  • Before the outage, BA had already undertaken to the CAA to inform passengers delayed by more than two hours of their rights. A February 2017 CAA review rated BA's care-and-assistance approach "Good." Those records show that policies and oversight processes existed. The May event tested whether they scaled when the same digital channels and operational systems needed to identify, contact, reroute and support tens of thousands of people were themselves impaired.
  • British Airways recognized GBP 56 million of additional compensation fees and baggage claims in its first-half accounts; IAG reported the same exposure as EUR 65 million in its reporting currency. This is the most defensible event-cost figure in the company record. It is not the total social cost, lost revenue, reputational damage or a count of successful claims.
  • Repair evidence is mixed. The 2017 BA annual report said a comprehensive power-and-IT resilience programme had begun and key actions had been implemented; IAG's Audit and Compliance Committee received updates from BA's chair, CFO, IT director and facilities director. Later filings describe investment in resilience, data-centre migration, network redundancy, reversion plans and modernization of critical operating systems. These disclosures demonstrate governance activity and spending, but they do not publish test scenarios, recovery objectives, failover results or an independent closure opinion for the 2017 root causes.
  • The accountability conclusion is therefore layered. BA management owned continuity of the passenger service and the evidence that critical systems could recover; facilities and IT control owners owned safe power switching, dependency-aware restoration and tested alternate processing; suppliers owned contracted controls within their scope; airports owned terminal and shared-system responses; and the CAA owned consumer-law oversight. Operational control does not by itself establish negligence, individual blame or a legal breach.

Chronology first: 27-29 May 2017

Saturday 27 May: a local infrastructure event becomes a network-wide operating failure

The first public fact pattern was broad and appropriately cautious. British Airways said it had experienced a major IT systems failure causing severe disruption worldwide. It said there was no evidence of a cyberattack. As Heathrow and Gatwick terminals became congested, BA first cancelled departures up to the early evening and then cancelled all remaining departures from both airports. Heathrow said it had deployed extra customer-service colleagues and was working with the airline to assist passengers already in its terminals, according to the contemporaneous Reuters account.

The distinction between global systems impact and global flight cancellation matters. BA's digital operating environment served stations around the world, so a failure near Heathrow impaired check-in, messaging and operational decisions elsewhere. But the categorical cancellation decision publicly announced on 27 May applied to departures from Heathrow and Gatwick. Long-haul aircraft already inbound could continue toward London in some cases, and flights operated by other airlines were not disabled by BA's data centre. The incident was global in dependency reach, not a shutdown of the aviation system.

The airline's first explanation was a "power supply issue." A preserved report of the BA chief executive's 27-28 May statements records both that belief and the absence of cyberattack evidence. That language did not identify the source of electricity, the protection device, the switching action or the failure mechanism. It was an incident-stage hypothesis, not a completed root-cause analysis.

Operationally, the effect was already visible. Check-in and baggage-drop processes stopped or slowed; customer-service channels could not absorb demand; flight and passenger information became harder to reconcile; and terminals filled with people whose aircraft and bags could no longer be processed predictably. The later CAA airport-data archive for May 2017 provides the regulator's flight-level and cancellation-data source. It is useful for independent reconstruction, although a monthly table alone does not assign every cancellation's cause.

Sunday 28 May: systems return, but Heathrow cannot immediately normalize

On Sunday, BA reported that many systems had been restored. Gatwick moved toward a near-normal schedule, while Heathrow continued to suffer cancellations, delays, queues and displaced baggage. Contemporary reports recorded about 40 further Heathrow cancellations early in the day, but the more important point is structural: service restoration and operating recovery were not simultaneous.

An airline schedule is a stateful physical system. A cancelled first wave leaves aircraft at the wrong airports, crews against duty-time limits, stands and departure slots misaligned, connecting passengers broken across itineraries, and bags separated from owners. Reopening a database or message broker does not safely infer where every resource now is. The restored systems must receive and reconcile a backlog while planners decide which flights can still depart with legal crew, available aircraft, ground handling and destination capacity.

BA's chief executive acknowledged that customers had been stranded, separated from bags and left in long queues for information. Reports also recorded that backup systems had not produced rapid continuity. The 29 May operational account attributes to Alex Cruz a morning power event with a catastrophic effect on communications hardware and messaging across operating systems. It also records his statement that there was no customer-data corruption or compromise. Those are company statements. They support the messaging-cascade analysis, but they do not disclose diagnostic logs or prove the exact damage path.

Monday 29 May: most flying resumes while passenger and baggage recovery continues

By Monday, Gatwick and Heathrow long-haul services were largely normal, and BA said roughly 90% of Heathrow short-haul flights were operating. The airline was still working through stranded passengers. Cruz said just over two-thirds of affected passengers would reach their destination by the end of Monday, with others offered later rebooking. That estimate is useful as an incident-stage recovery measure, not a final audited passenger count.

The operational residue persisted beyond the main systems outage. Baggage accepted before cancellation had to be located, sorted and flown separately; passengers had to be linked to new itineraries; claims had to be opened; and aircraft and crew rotations had to be rebuilt. A 30 May report on delayed bags recorded BA's statement that systems were fully restored and a full schedule was operating on Tuesday. It also recorded continuing baggage recovery. Thus 29 May is a reasonable end for the acute flight-recovery chronology, not for every customer consequence.

The later corporate total is deliberately less granular than press estimates. IAG's 2021 prospectus says loss of IT services in May 2017 led to more than 500 flight cancellations. A Bloomberg report carried by Data Center Knowledge gives a day-level estimate of 479 cancelled flights on 27 May and 193 on 28 May, plus some on 29 May. Because IAG's formal disclosure and the press taxonomy may count schedules differently, this analysis uses "more than 500" as the company-confirmed scale and treats finer numbers as reported estimates.

What is confirmed, inferred, disputed and unknown

Accountability depends on refusing false precision. Four evidence labels keep different claims from collapsing into one narrative.

Confirmed company and regulator record. BA's filed 2017 accounts say a power failure occurred at the group's primary data centre and caused severe disruption to customers and flights. The same accounts say management identified root causes and began a comprehensive programme to improve power and IT infrastructure and resilience. IAG's Audit and Compliance Committee says it received regular updates on investigation status, root-cause identification, and immediate and longer-term recovery. The CAA correspondence confirms the regulator and airline were discussing rerouting, care, information and compensation after the incident. These records establish the event class, corporate recognition and governance response.

Supported inference. A local power event should not have removed passenger-critical service on this scale if electrical protection, communications, alternate processing, data consistency and recovery procedures had collectively provided effective continuity. That is an inference from outcome and system purpose. It does not tell us which component failed first, whether an alternate site received traffic, or whether a designed safeguard was absent, defective, bypassed or defeated by a shared dependency.

Disputed claims. The GMB union argued that earlier job reductions and outsourcing weakened BA's IT capability and made the event avoidable. BA rejected a causal link and said parties involved in this local data-centre event were local. The 27 May ITV record preserves the union allegation and BA's response. Neither position is a technical investigation. Outsourcing is an actual governance context, but a temporal association between staffing change and outage does not prove that an offshore supplier performed the relevant power action or caused the failed recovery.

Reports also alleged that a contractor switched off the supply. The facilities company associated in press reporting with the site said claims that the cause had been determined were not founded in fact. The 2 June report containing that denial is why this article does not label the person as a contractor, name an employer or treat the allegation as settled.

Unknown technical detail. No public independent investigation report reviewed for this article supplies a one-line electrical diagram, event log, UPS state, breaker history, protection setting, maintenance permit, switching instruction, network topology, damage inventory, alternate-site test result, recovery-time objective or application restoration order. The public record also does not disclose the independent investigator's identity or final opinion. It is unknown whether the initiating interruption arose from equipment failure, authorized maintenance, an unauthorized action, misunderstood instructions, or a combination. It is also unknown exactly why alternate processing did not preserve a minimum passenger operation.

The gap matters because a senior executive account can be sincere and still be incomplete. On 5 June, Walsh told journalists that an engineer disconnected the uninterruptible power supply and that the uncontrolled restoration caused damage. He also announced a full independent investigation. A Reuters report of that announcement is attributable evidence of what IAG's chief executive said. It is not a substitute for the unpublished report, underlying logs, witness interviews or test results.

Causal anatomy: trigger, root cause and contributing conditions

Trigger: interruption of data-centre power

The trigger is the immediate event that forced the system into an abnormal state. The narrowest defensible wording is a power interruption at BA's primary data centre on the morning of 27 May. BA's 2017 annual report uses "power failure," while IAG's half-year reporting uses "power failure" or "power outage." These are stronger sources than early references to a grid surge.

That distinction resolves an apparent contradiction. Local electricity providers reportedly said they saw no supply surge on their networks. BA later referred to an uncontrolled return of power inside the site. Both can be true if the harmful condition was downstream of the utility boundary, but the public evidence does not prove that topology. The article therefore does not say an external grid surge initiated the event.

Technical root cause: continuity controls did not preserve or recover the service safely

Calling the outage "human error" is too shallow. Even if an operator performed an incorrect action, a critical facility should constrain authority, require confirmation for hazardous switching, preserve evidence, isolate failure domains and recover through tested procedures. The event reached passengers because the combined power, communications and IT continuity design failed to keep essential airline processes available and failed to restore them within an operationally tolerable window.

At a more specific level, BA said power returned in an uncontrolled way and physically damaged communications hardware. Specialist reporting at the time emphasized that the unanswered question was why a second data centre did not provide usable continuity. The Data Center Dynamics reconstruction reports BA's two-stage account, two data centres and the uncertainty surrounding failover. It also labels expert interpretations as interpretations. That is the right evidentiary use: it identifies technical questions, not adjudicated answers.

The root-cause statement must therefore remain outcome-based: BA's architecture and recovery controls did not tolerate and safely recover from the primary-site power event. It would be overclaiming to assert a particular UPS model failed, both sites lost independent power, or a specific server was destroyed. Those details are not in the filed corporate record.

Contributing condition 1: concentration in communications and messaging

Cruz said tens of millions of messages moved daily among about 200 systems and that the communications failure affected those systems. A message fabric can turn local infrastructure loss into systemic unavailability when applications depend on timely exchanges for passenger records, aircraft loading, baggage, crew, departure control and flight status. Even if application servers remain powered, stale or missing messages can make their output unsafe to use.

This is a supported dependency inference, not proof that one named middleware product was the single point of failure. BA did not publish a service map, queue backlog, data-reconciliation plan or which 200 systems were materially unavailable. The accountability question is whether management knew which minimum set of messages was required to dispatch a flight and whether that path could operate independently during recovery.

Contributing condition 2: alternate processing did not deliver a minimum viable operation

Redundancy is a property demonstrated by service, not by asset count. Two rooms, two UPS units or two data centres do not provide continuity if they share network, identity, storage, management, message, power-control or recovery dependencies. Nor does a nominal standby help if data integrity cannot be established, traffic cannot be switched, or staff lack authority to declare the primary unavailable.

The incident shows that BA did not obtain effective alternate processing quickly enough to avoid mass cancellation. It does not show why. Possible explanations include shared dependencies, limited public evidence capacity, unavailable communications, incomplete replication, recovery sequencing, or a decision not to fail over because state could not be trusted. Without the independent report, selecting one would convert a control question into invented fact.

Contributing condition 3: restoration was an application problem, not only an electrical task

Power recovery has at least three gates. The facility must be electrically stable; infrastructure and communications must be restored in a controlled dependency order; and applications must be reconciled to a known business state. Bringing all equipment up at once can create inrush, network churn and simultaneous application contention. Bringing it up too slowly can miss the operating window. Either way, a green power indicator does not prove that check-in, load control or baggage messages are complete.

This is why safe restoration requires a dependency graph, staged runbook, authoritative time source, queue and database reconciliation, and explicit go/no-go ownership. The public record supports the conclusion that messaging recovery was central. It does not disclose whether BA's runbooks contained these controls or how they performed.

Contributing condition 4: peak timing amplified the consequence

The incident occurred on the first day of a UK bank-holiday and school half-term weekend. High passenger loads and constrained alternative capacity meant fewer spare seats, hotel rooms and airport resources. Peak timing did not cause the power failure. It increased the number of people exposed and made rerouting and care harder. A resilient plan should use a severe but plausible peak scenario rather than assume a quiet maintenance window.

Detection, response and recovery

Detection: the outage was obvious, but control-state evidence is not public

Flight-facing symptoms were immediately visible: check-in queues, failed baggage processes, unavailable customer channels and growing departure delay. What is not public is the internal detection path. A mature record would show the first facility alarm, the first service alarm, who declared an incident, when crisis management started, what telemetry survived, and when executives learned that recovery would exceed the day's operating window.

This distinction separates detection of impact from diagnosis of cause. BA detected a serious operational failure quickly enough to issue public warnings and cancel flights. That does not prove that engineers immediately knew the electrical state, damage scope or safe restoration path. The changing public explanation suggests diagnosis evolved, which is normal during a complex incident. Accountability lies in preserving evidence and updating claims as certainty changes, not in demanding instant certainty.

Response: cancellation contained terminal and network disorder, but communication was impaired

Cancelling the remaining Heathrow and Gatwick departures was a business-continuity decision after technical continuity had failed. It reduced the risk of indefinitely holding passengers and trying to dispatch flights without dependable processing. Yet mass cancellation created a second workload: notification, refunds, rebooking, care, baggage return and connection protection.

The channels expected to perform that work were part of the affected ecosystem. Customers reported difficulty obtaining updates, while staff faced changing operational information and crowded terminals. Heathrow's deployment of extra colleagues helped with physical presence, but airport staff could not create BA booking inventory or make every carrier decision. This is the passenger-continuity lesson: an airline needs an out-of-band way to identify affected people, publish a stable operating message, issue rights information and authorize care when primary digital channels are degraded.

Recovery: technical availability, flight viability and passenger completion are different milestones

A defensible recovery record would track at least three clocks. The first ends when core infrastructure and applications are technically stable. The second ends when a viable schedule can operate without creating new displacement. The third ends when affected passengers and bags reach a resolved state and claims are processed.

BA's chronology demonstrates the gap. Many systems returned on Sunday, most flying returned Monday, a full schedule was reported Tuesday, and baggage and compensation work continued. An incident dashboard that stopped at server availability would materially understate harm. Passenger-continuity accountability requires measures such as passengers rerouted, hotel and meal provision, average notification delay, bags reunited, claims backlog and time to final resolution.

The passenger-rights test is independent of the outage explanation

At the time of the event, Regulation (EC) 261/2004 applied in the United Kingdom. Its structure is deliberately modular. Under the official Regulation, cancellation engages Article 8 choices between reimbursement and rerouting, Article 9 care, and potentially Article 7 fixed compensation. Article 5(3) gives a carrier a defense to fixed compensation if it proves extraordinary circumstances that could not have been avoided even with all reasonable measures. That defense does not erase Articles 8 and 9.

Refund and rerouting

Article 8 gave affected passengers a choice: reimbursement, rerouting at the earliest opportunity under comparable conditions, or rerouting at a later convenient date subject to seats. The CAA's formal Article 8 rerouting guidance says airlines must give passengers comprehensive information about rerouting options, including flights on other airlines, and bear the burden of showing that the option offered was at the earliest opportunity. It also expects airlines to retain records of the options identified and offered.

Those requirements turn rerouting into a concrete evidence question rather than a general assurance that recovery was underway. For the May 2017 disruption, a defensible assessment would need passenger-level evidence of availability, contact attempts, urgency, comparable conditions, the alternatives BA identified and what it actually offered. The later CAA guidance states the control standard; it does not by itself establish whether BA met that standard for every affected itinerary.

Care and reasonable expenses

Article 9 care included meals and refreshments in reasonable relation to waiting time, hotel accommodation where an overnight stay became necessary, transport between the airport and accommodation, and communications. The CAA's February 2017 CAP 1500 compliance report emphasized proactive care, priority for passengers with reduced mobility and unaccompanied children, and reimbursement of necessary, reasonable and appropriate expenses when care was not offered.

The legal separation from cause is decisive. In McDonagh v Ryanair, the Court of Justice held that the duty to care continued even through extraordinary circumstances such as volcanic-ash airspace closure. The CJEU's Case C-12/11 record confirms there is no separate class of particularly extraordinary event that removes the care duty. Therefore, whether the BA power event was controllable affects fixed compensation analysis; it does not determine whether a passenger waiting overnight was owed care.

CAA correspondence shows the practical friction. The regulator questioned BA website language referring customers to insurers and excluding some airport-transfer costs. BA said it would pay Regulation 261 expenses whether or not customers had travel insurance, change relevant pages, and reimburse qualifying transfer expenses when BA rerouted a customer to another destination. This is evidence of correction during recovery. It is not proof that every customer saw the corrected message or received timely care.

Information rights and communication

Regulation 261 Article 14 required notice of passenger rights. This was not new to BA in May 2017. On 29 July 2016, BA had given the CAA an undertaking to provide rights information to passengers delayed by more than two hours. The CAA's current table of undertakings explains that undertakings are voluntary, do not admit wrongdoing or liability, and only a court can decide whether a breach occurred.

The pre-event evidence is nuanced. CAP 1500, published in February 2017, rated British Airways "Good" for care and assistance. It described the benchmark as proactive care in most cases, prompt expense refunds, attention to vulnerable passengers, written procedures, training and oversight. This prevents a simplistic claim that BA had no policy. It also sharpens the control test: could those policies function at mass-disruption scale when customer contact, booking and airport information depended on the failed systems?

The post-event correspondence says a BA representative had seen rights leaflets distributed in Terminal 5 and that leaflet availability was considered by the Crisis Management Team. The CAA asked for BA's post-disruption review, distribution records from Heathrow and other airports, and examples of tailored passenger letters. These requests show the regulator sought evidence of execution rather than accepting policy language alone. The disclosed file does not contain a complete final audit of every location.

Fixed compensation and extraordinary circumstances

For cancellations notified at short notice and qualifying long delays, Regulation 261 provided fixed sums of EUR 250, EUR 400 or EUR 600 depending on distance and other conditions. BA told the CAA it would pay fixed compensation "where it is due." The phrase preserved legal case-by-case assessment; it was not an admission that every cancellation qualified.

The extraordinary-circumstances issue should not be decided by analogy alone. In Wallentin-Hermann v Alitalia, the CJEU held that an aircraft technical problem is not extraordinary unless it stems from events not inherent in normal carrier activity and beyond actual control. The official Case C-549/07 record places the burden on the carrier and requires reasonable measures. The European Commission's 2016 interpretative guidelines consolidate that case law.

Those authorities concerned aircraft technical faults, not an enterprise data-centre power failure. They make control and inherent activity relevant, but they do not automatically adjudicate every 2017 BA flight. A court would need evidence about the cause, the carrier's control, reasonable measures, and the causal link to the specific cancellation or delay. The absence of a public technical report makes categorical legal declarations especially unsafe.

The CAA correspondence is not an infringement decision. It records questions, expectations and BA commitments during recovery. The CAA's 2017 passenger-complaints archive also cautions that complaint counts are not the same as decisions or payments, and that its Passenger Advice and Complaints Team did not have power to bind an airline on an individual award. Accordingly, this article finds no basis in the cited record to declare universal compliance or a universal breach.

Financial impact and the limits of the number

British Airways' first-half 2017 report gives the clearest recognized cost. It says handling, catering and other operating costs included GBP 56 million of additional compensation fees and baggage claims following the power outage, and that BA continued working with customers to honor compensation obligations. IAG reported the same provision as EUR 65 million in its group currency. These should not be added together.

The provision is evidence of material passenger remedy and baggage exposure. It does not include every revenue effect, staff cost, wet lease, hotel paid directly, reputational loss, passenger time, missed event or downstream travel-business cost. Nor does accounting recognition establish that each claim was legally required rather than commercially settled. It is a measured corporate liability category, not a full welfare estimate.

Three reconciliations are necessary before using that number in accountability analysis. First, the GBP 56 million BA figure and EUR 65 million IAG figure are reporting-currency presentations of the same provision, not separate losses. Second, a provision records the company's estimate in an accounting period; it is neither a final cash-paid total nor a passenger count. Third, later supplier compensation is a recovery recognized in a different period and cannot be netted into the passenger provision without the undisclosed settlement and accounting detail.

Keeping those ledgers separate prevents a large but bounded accounting entry from becoming an invented total cost or an implied legal allocation of fault.

IAG's later disclosures add two accountability signals. Its 2019 results say property, IT and other costs benefited from one-off supplier compensation related to the 2017 failure while being partly offset by investment in resilience and IT infrastructure. The 2019 results announcement does not name the supplier, disclose the settlement terms or assign a public legal finding. It proves that a supplier recovery was recognized, not that a particular contractor caused the initiating event.

Governance: who had practical control

British Airways executive management

BA sold the itinerary, operated the flights and controlled the customer response. Executive management therefore owned the integrated continuity outcome: investment priorities, critical-service definitions, supplier governance, incident authority, schedule decisions, communications and claims capacity. That ownership remains even where a specialist supplier operated a facility or component. Contracting transfers tasks and remedies; it does not transfer the passenger relationship.

The BA 2017 annual report is candid about dependency. It says BA relied on IT for principal business processes, on supplier IT infrastructure, and on airport baggage operators. It also says system controls, disaster recovery and business-continuity arrangements existed. The same filed annual report says the event led management to review business operations and continuity plans. The accountability question is thus not whether plans existed but what assurance showed they could survive this failure mode.

Facilities, power and IT control owners

Facilities control owners had practical control over switching authority, maintenance permits, UPS and generator configuration, physical alarms, safe isolation and restoration. IT owners controlled service maps, dependency order, data validation, failover declaration and application release. Where those roles crossed, a single incident command needed authority to decide whether the site was electrically safe, whether infrastructure state was trustworthy, and whether the airline could resume flight processing.

No public evidence assigns these controls to one named person. Good accountability examines role design, authorization and verification before individual conduct. If a single action could disconnect a live primary site and uncontrolled restoration could damage critical equipment, management would need to show why dual control, interlocks, peer confirmation, change records and alternate service did or did not prevent escalation.

Suppliers

Suppliers owned whatever facility, engineering, network or software controls their contracts assigned. They also owed BA complete incident evidence within those boundaries. But the public contract scopes are unavailable. It is therefore improper to infer that an offshore software provider controlled local electrical switching, or that a facilities provider controlled application failover. Supplier compensation later recognized by IAG signals a contractual remedy without disclosing its factual basis.

BA remained responsible for integrating supplier controls. The organization's own annual report recognized that outsourcing and complex supply chains increased critical-supplier dependency. Effective governance would map each recovery objective to an accountable owner, service-level measure, evidence source and cross-supplier exercise.

Heathrow, Gatwick and shared airport systems

Airports controlled terminal access, crowd management, shared facilities, stands and some baggage infrastructure; BA controlled its flights, passenger records and airline decisions. Heathrow deployed additional customer-service staff. Gatwick's faster return to a near-normal BA schedule indicates that local operating conditions mattered. Neither airport caused BA's primary-data-centre power failure on the public evidence.

The boundary still required joint plans. A cancelled flight can leave bags inside an airport-managed flow while ownership of passenger notification and rerouting remains with the airline. Airport and airline exercises must test that handoff, including how to stop accepting bags, return accepted bags, protect vulnerable people and publish one consistent instruction.

IAG board oversight and the CAA

IAG's Audit and Compliance Committee received regular updates from BA's chair and CFO and its IT and facilities directors. The committee report says updates covered investigation, root causes and immediate and longer-term recovery. That is evidence of senior oversight. It is not independent technical assurance because the disclosed inputs came from management and the report gives no closure criteria.

The CAA's practical control was consumer-law oversight, not operation of BA's data centres or flights. Its rapid correspondence clarified expectations on rerouting, care, information and compensation. A regulator can demand evidence and pursue collective enforcement; it cannot operate an airline's message fabric or instantly decide thousands of fact-specific claims. Keeping this boundary clear prevents the technical failure from being mislabeled as regulatory causation.

What would count as verifiable resilience repair

The incident generated promises, spending and governance activity. Durable accountability requires evidence that the specific failure path is controlled. Five proof classes are necessary.

1. Power-control proof

BA should be able to produce current single-line diagrams, protection and UPS test records, generator and battery capacity evidence, switching permits, role-based authority, dual confirmation for high-consequence actions, and immutable event logs. Restoration procedures should define staged load, communication checks and abort criteria. A maintenance exercise should prove that the primary path can be isolated without removing essential service and that restoration cannot bypass required verification.

This is not hindsight invention. UK government business-continuity guidance says plans are not reliable until exercised and specifically identifies testing systems such as uninterruptible power supply. The standard is proof of workable control, not possession of a document.

2. Alternate-processing proof

An alternate site must demonstrate independence from the initiating failure domain and enough capacity for a minimum viable airline. Tests should prove identity, network, data, message and application availability; measured recovery-time and recovery-point objectives; and a declared order for passenger-critical services. Full interruption may not always be safe, but controlled production failover, isolated rehearsal and component removal can collectively provide evidence.

NIST's SP 800-34 contingency-planning guide recommends business-impact analysis, recovery strategies, testing and plan maintenance. Its test guidance expressly contemplates removing power from a system or component and using quantifiable success criteria. NIST's SP 800-53 contingency controls require plan testing, review of results and corrective action, including tests at alternate processing sites. These are not legal duties imposed on BA by those US publications; they are authoritative benchmarks for what evidence-based recovery looks like.

3. Dependency-aware application proof

BA needs an inventory that links business outcomes to applications, messages, databases, networks, facilities and suppliers. A test should show that check-in, departure control, flight planning, crew, load control, baggage interfaces, customer notification and rebooking can either operate safely or fail in a controlled way. Recovery must prove queue reconciliation and data integrity, not merely process uptime.

The UK's National Cyber Security Centre makes the same general point in Principle B5 on resilient networks and systems: organizations should understand dependencies, plan physical upgrades such as power-supply changes to avoid unplanned interruption, and design for system failure. The principle covers cyber and system resilience; citing it does not reclassify the 2017 event as a cyberattack.

4. Passenger-continuity proof

Technical exercises should include the customer consequences of an extended outage. Can BA identify affected passengers from an independent data extract? Can it send a stable notice without the primary platform? Can airport teams issue rights information and authorize meals and hotels? Can agents reroute on other carriers? Can the airline stop baggage acceptance and reconcile bags already inducted? Can claims capacity scale without hiding a growing backlog?

Success criteria should include notification time, contact coverage, rerouting completion, vulnerable-passenger support, baggage reconciliation and claims aging. This is where large enterprises and smaller travel businesses share a continuity interest. Travel agents, hotels, transfer operators and corporate travel managers depend on accurate airline status; an outage that withholds it transfers recovery work and cash-flow pressure into the wider service chain.

5. Independent closure and recurrence evidence

The final proof should map every root and contributing cause to a corrective action, owner, due date, test, result, residual risk and board acceptance. An independent reviewer should verify a representative sample and state limitations. Publication may omit security-sensitive topology, but it can still disclose test scope, recovery objectives achieved, material exceptions and governance closure.

The public record does not reach that level. BA's 2017 annual report says a comprehensive programme began and key actions were already implemented. IAG's 2021 annual report later described three data-centre migration programmes moving systems to cloud-hosted infrastructure for enhanced resilience and performance. The 2021 report is evidence of modernization, not proof that every 2017 control gap closed.

BA's 2023 report adds more specific continuing controls: cloud migration from on-premises data centres, network remediation and redundancy, system controls, disaster recovery, business continuity and reversion plans for critical-infrastructure migrations. The 2023 BA annual report makes those first-party claims. It does not publish exercise results, and later BA outages mean modernization should not be interpreted as permanent immunity.

The most recent IAG account offers an observational signal. Its 2025 annual report says BA modernized critical check-in, flight-planning, flight-management and time-critical load-control systems, improved 2025 punctuality, and recovered more quickly after Heathrow's March 2025 airport power outage. That was a different event outside BA's data centre and cannot serve as a controlled retest of the 2017 scenario. It does, however, show that IAG now reports resilience in customer and operating outcomes, not only infrastructure activity.

Accountability matrix

Control area Practical owner in 2017 Evidence available Residual limit
Data-centre power isolation and restoration BA facilities leadership and contracted facilities operators within disclosed scopes BA/IAG identify a primary-site power failure and later resilience programme No public switching record, permit, topology, investigator report or named control owner
IT failover and application recovery BA IT leadership, infrastructure and application teams, relevant suppliers Company statements describe communications and messaging impact; filings describe continuity review No public failover timeline, dependency map, recovery objectives or test result
Incident command and schedule decisions BA executive and operational management Public cancellations, staged return and crisis-management correspondence No complete decision log or internal chronology
Airport terminal and shared-system response Heathrow, Gatwick, BA station management and handlers within their boundaries Heathrow reported extra staff; Gatwick and Heathrow had different recovery profiles Shared runbooks and baggage-control handoffs are not public
Passenger notification and rights information BA customer and airport operations; CAA oversight Pre-event undertaking, CAP 1500 rating, post-event leaflet and website correspondence No complete station-by-station delivery audit or contact-rate dataset
Care, rerouting and expense reimbursement BA as operating carrier BA accepted rerouting and expense duties; CAA stated earliest-opportunity expectations Individual offers, receipts, response times and outcomes require case evidence
Fixed compensation BA claims function; courts/ADR/CAA within their legal roles BA said it would pay where due; accounts recognize compensation and baggage provision No public universal determination for all affected flights
Root-cause closure and resilience assurance BA management and IAG board oversight Committee updates, resilience programme, later investment and modernization disclosures No public independent closure opinion tied action-by-action to 2017 causes

The table allocates operational control, not legal guilt. A supplier can control a breaker without controlling passenger communication; an airline can owe care without operating an airport hotel; and a regulator can enforce information duties without controlling data-centre design. Liability would require the applicable duty, breach, causation, damage and procedural record.

Conclusion

The May 2017 British Airways outage was not important because airlines should never lose a server or suffer a power interruption. It was important because one infrastructure event removed enough of the airline's digital operating fabric to cancel a large part of its schedule, separate passengers from bags and overwhelm the mechanisms meant to explain and repair disruption.

The public evidence supports a firm but bounded conclusion. BA's primary data centre suffered a power failure. Continuity and recovery controls did not preserve passenger-critical service. Communications and messaging dependencies spread the effect across many systems. Heathrow and Gatwick operations recovered at different rates, and passenger and baggage recovery outlasted technical restoration. BA recognized GBP 56 million of additional compensation and baggage-claim cost, began a resilience programme and placed the investigation before IAG's Audit and Compliance Committee.

The same evidence does not support a definitive claim about a named person's action, an offshore supplier, the exact UPS sequence or the physical path of damage. Those details remain behind an unpublished investigation. Corporate assertions that root causes were identified are not equivalent to public technical proof.

Passenger accountability stands on a separate record. Regulation 261 required rerouting or refund, care and rights information independently of whether fixed compensation was payable. CAA correspondence shows BA accepting core obligations and changing some customer information while the regulator pressed for evidence on other-carrier rerouting, transfers, leaflets and claims capacity. That record demonstrates active recovery and scrutiny; it does not produce a universal compliance verdict.

The durable lesson is evidentiary. Resilience is not the count of data centres, the existence of a backup plan or a later capital programme. It is measured proof that power can be isolated and restored safely, alternate processing can carry a minimum operation, applications can reconcile to a known state, and passenger care can continue through degraded channels. British Airways' later filings show sustained modernization and governance attention.

Until test scope, recovery performance, exceptions and closure evidence are visible, they remain credible repair signals rather than complete proof that every 2017 failure path has been eliminated.