The Information Commissioner’s Office (ICO) in the U.K. fined British Airways (BA) £20 million (approximately US$26 million) for failing to protect its customers’ sensitive information in a cyberattack in 2018. ICO’s investigation found that the airline was handling its customers’ data without adequate cybersecurity measures.
“The attack affected potentially 429,612 customers and staff, including names and financial details. British Airways failed to put in place a number of IT security measures, such as multi-factor authentication, and they were not aware of the attack until a third-party alerted them,” ICO said.
The data breach, which began in June 2018, was undetected for two months exposing the personal and financial details of more than 400,000 users. The compromised details included customers’ login, payment card, name, address, and travel booking information, which was collected by attackers after diverting users to a fraudulent website.
Biggest Fine till Date
In June 2019, the ICO issued a notice of intent to fine British Airways with £183.39 million (approximately US$230 million). However, the regulator decreased the penalty amount considering the economic impact of COVID-19 on their business.
“Because the British Airways breach happened in June 2018, before the U.K. left the EU, the ICO investigated on behalf of all EU authorities as lead supervisory authority under the GDPR. The penalty and action have been approved by the other EU DPAs through the GDPR’s cooperation process,” ICO added.
Information Commissioner Elizabeth Denham said, “People entrusted their personal details to BA and BA failed to take adequate measures to keep those details secure. Their failure to act was unacceptable and affected hundreds of thousands of people, which may have caused some anxiety and distress as a result. That is why we have issued BA with a £20m fine – our biggest to date. When organizations take poor decisions around people’s personal data, that can have a real impact on people’s lives. The law now gives us the tools to encourage businesses to make better decisions about data, including investing in up-to-date security.”
Related story: How Attackers Compromised British Airways Systems