British Airways has been fined £20 million over a 2018 data breach in which 400,000 customers’ personal information was compromised by hackers.
The fine is the largest ever issued by the Information Commissioner’s Office (ICO), but a significant reduction from the £183 million sum initially announced in 2019. This reduction was expected, however, as account filings by BA owner International Airlines Group (IAG) earlier this year revealed that it had made a provision of only £20 million to cover the expected sanctions.
The BA data breach triggered the first major investigation to be carried out under revamped data laws that called for heavier fines as a proportion of a company’s turnover than had previously been mandated.
ICO investigators found that BA had not taken adequate steps to identify weaknesses in its security, which it could have resolved using security measures available to it at the time. Around 244,000 of the approximately 433,000 customers and staff affected by the breach had their names, addresses and full payment card numbers and CVVs stolen by hackers.
“People entrusted their personal details to BA and BA failed to take adequate measures to keep those details secure,” said Information Commissioner Elizabeth Denton. “Their failure to act was unacceptable and affected hundreds of thousands of people, which may have caused some anxiety and distress as a result. That’s why we have issued BA with a £20m fine – our biggest to date.”
[ymal]
The ICO said “the economic impact of COVID-19” had been taken into account in issuing the fine.
"We are pleased the ICO recognises that we have made considerable improvements to the security of our systems since the attack and that we fully co-operated with its investigation," said a BA spokesperson.
Carl Gottlieb, a data protection officer, noted that £20 million was a “massive” fine given the current economic climate.
"It shows the ICO means business and is not letting struggling companies off the hook for their data protection failures," he said.
