British Airways has been ordered to pay £20 million by the Information Commissioner’s Office (ICO) for a 2018 data breach that resulted in the personal data of over 400,000 customers and staff being stolen by hackers. While the fine is the largest ever imposed by the ICO, the final settlement is much smaller than a £180 million penalty originally proposed by investigators, in part because of the impact the COVID-19 pandemic has had on the airline business.
“People entrusted their personal details to BA and BA failed to take adequate measures to keep those details secure,” commented Information Commissioner Elizabeth Denham on Friday after details of the fine were announced.
Hackers managed to access the personal details of 429,612 customers and staff, including names, addresses, payment card numbers and CVV numbers of 244,000 customers. Also included in the data hack was the usernames and passwords of British Airways employees and login details for some members of BA’s Executive Club frequent flyer club.
The ICO concluded that British Airways should have identified the weaknesses in their IT security and plugged any gaps with resources which were readily available at the time. Instead, British Airways wasn’t even aware that customer and employee data had been compromised for at least two months after it had been stolen.
Even then, the airline only became aware of the hack after a third-party informed it of the leak.
“Their failure to act was unacceptable and affected hundreds of thousands of people, which may have caused some anxiety and distress as a result. That’s why we have issued BA with a £20m fine – our biggest to date,” Denham explained.
“When organisations take poor decisions around people’s personal data, that can have a real impact on people’s lives. The law now gives us the tools to encourage businesses to make better decisions about data, including investing in up-to-date security.”
In its latest financial results, BA’s parent company accounted for a roughly £20 million fine for the data breach. The ICO had originally proposed a penalty of as much as £180 million but in the end, and after considering representations from BA and accounting for the economic effects of the COVID-19 pandemic, a fine of £20 million has been agreed.
Investigators found that that BA had failed to protect employee and third party accounts with multi-factor authentication, didn’t undertake rigorous testing on its IT systems and gave some employees access to too many systems. Since the attack, however, the ICO noted that BA has made considerable improvements to its IT security.
Earlier this year, British low-cost operator easyJet revealed that it had fallen victim to a “highly sophisticated” cyber attack. Around 2,208 customers had their credit card details stolen, while the hackers stole the personal details of around nine million customers.
The ICO is continuing to investigate and is yet to say whether easyJet will be fined.
