instagram envelope_alt facebook twitter search youtube_play whatsapp remove external_link loop2 arrow-down2

British Airways fined £20m over data breach

BRITISH AIRWAYS has been hit with a record fine of £20million following a cyber attack in 2018.

Investigators found the airline should have identified the security weaknesses which enabled the attack to take place.

The carrier failed to protect the personal and financial details of more than 400,000 customers, the ICO said. It did not detect the hack for more than two months.

Information Commissioner Elizabeth Denham said: ‘People entrusted their personal details to BA, and BA failed to take adequate measures to keep those details secure.

‘Their failure to act was unacceptable and affected hundreds of thousands of people, which may have caused some anxiety and distress as a result.

‘That’s why we have issued BA with a £20million fine — our biggest to date.

‘When organisations take poor decisions around people’s personal data, that can have a real impact on people’s lives.’

British Airways announced in July last year that the ICO was proposing to issue a fine of more than £183million.

This is more than nine times the £20 million the airline has eventually been fined.

The ICO said it considered ‘representations from BA and the economic impact of Covid-19 on their business’ before setting the final penalty.

A British Airways spokeswoman said it was sorry it fell short of its customers expectations but was pleased the ICO recognised it had made considerable improvements to the security of its systems since the attack.

The attacker is believed to have potentially accessed the personal data of approximately 429,612 customers and staff.

This included the names, addresses, payment card numbers and the three digits on the back of cards of 77,000 customers, and card numbers only for 108,000 customers.

Usernames and passwords of British Airways’ employee and administrator accounts, as well as the usernames and PINs of up to 612 of the airline’s Executive Club accounts, were also potentially accessed.

Investigators found that the carrier did not detect the attack on June 22, 2018 and more than two months passed before they were alerted by a third party on September 5.

The ICO found there were ‘numerous measures’ British Airways could have used to prevent or reduce the impact of the attack.

These include undertaking rigorous testing on its systems and protecting accounts with multi-factor authentication. None of these would have involved ‘excessive cost or technical barriers’ and some were available through the operating system being used by the airline.

The watchdog said the carrier ‘acted promptly’ once it became aware of the hack, and has since made ‘considerable improvements to its IT security’.