The ICO has fined British Airways £20m for a data breach affecting more than 400,000 customers.
The watchdog found that the airline was processing personal data “without adequate security measures in place” breaking data protection law. Subsequently BA suffered a severe cyber attack in 2018, which it did not detect for more than two months.
The investigation into the breach found the airline “ought to have identified weaknesses in its security and resolved them with security measures that were available at the time.”
Last June the watchdog issued a notice to fine BA £183.9m for the breach and considered representations from the firm as well as assessing the economic impact of the pandemic before setting a final penalty.
Investigators found that BA did not detect the attack in June 2018 and were instead alerted by a third party more than two months later, which they then reported.
The attacker is believed to have potentially accessed the personal data of 429,612 customers and staff. This included names, addresses, payment card numbers and CVV numbers.
“It is not clear whether or when BA would have identified the attack themselves”, the ICO said today.
Information Commissioner Elizabeth Denham said: “People entrusted their personal details to BA and BA failed to take adequate measures to keep those details secure.”
“Their failure to act was unacceptable and affected hundreds of thousands of people, which may have caused some anxiety and distress as a result. That’s why we have issued BA with a £20m fine – our biggest to date.”
A spokesperson for British Airways said: “We alerted customers as soon as we became aware of the criminal attack on our systems in 2018 and are sorry we fell short of our customers’ expectations.”
“We are pleased the ICO recognises that we have made considerable improvements to the security of our systems since the attack and that we fully co-operated with its investigation.”