The Information Commissioner’s Office (ICO) has fined British Airways £20 million after it ruled the company failed to protect customers’ personal data.
The ICO said it found the airline had been processing “a significant amount” of personal data without adequate security measures in place.
BA’s failure to properly mitigate security risks meant it broke data protection law, the watchdog said. Subsequently, the company’s lacklustre security meant it failed to detect a major 2018 security breach for nearly two months.
Investigators found the airline did not detect the June 22nd attack themselves, and instead were alerted by a third party on 5th September 2018.
Once BA was made aware of the breach, it “acted promptly” and notified the relevant authorities, the watchdog said.
Commenting on the fine, Information Commissioner Elizabeth Denham said: “People entrusted their personal details to BA, and BA failed to take adequate measures to keep those details secure.
“Their failure to act was unacceptable and affected hundreds of thousands of people, which may have caused some anxiety and distress as a result.”
The 2018 BA cyber-attack saw hundreds of thousands of customers affected, with hackers believed to have accessed the personal data of 429,612 customers and staff.
Data exposed in the attack included the names, addresses, payment card numbers and CVV numbers of 244,000 BA customers.
Usernames and passwords belonging to BA employee and administrator accounts were also exposed in the attack, as well as usernames and PINs of up to 612 BA Executive Club accounts.
According to the ICO, there were “numerous measures” the airline could have used to prevent the risk of attackers being able to access its network.
These included undertaking “rigorous testing” in the form of simulating cyber-attacks on the business’ systems and protecting employee and third-party accounts with multi-factor authentication.
Crucially, the ICO said that none of the additional mitigating measures it suggested would have entailed “excessive cost or technical barriers” for the airline.
- British Airways faces £183m fine over 2018 cyber-attack
- Security flaws uncovered on British Airways, EasyJet & Marriott websites
- EasyJet data breach exposes millions of customers details
While the fine is the largest issued by the ICO under GDPR, the penalty still falls considerably short of the £183m the watchdog said it intended to impose last year.
As part of the regulatory process, the ICO said it considered representations from BA and the economic impact of the coronavirus pandemic on the business before setting a final penalty.
Denham added: “When organisations take poor decisions around people’s personal data, that can have a real impact on people’s lives. The law now gives us the tools to encourage businesses to make better decisions about data, including investing in up-to-date security.”
Rachel Aldihieri, Managing Director of the Data & Marketing Association (DMA), said that while the fine does fall short, it could act as a wake-up call for many businesses.
She said: “Brexit and coronavirus have put businesses under an immense financial strain, and a fine of this magnitude will get the attention of board members of organisations across the UK.
“This is the largest fine issued by the ICO to date under the new GDPR laws, highlighting the importance all businesses should place on the security of customers’ data and the need to build in safeguards to protect it.”