British Airways fined £20m over data breach

british airways tails

The Information Commissioner’s Office (ICO) has fined British Airways (BA) £20 million for a data breach which affected more than 400,000 customers.

An investigation by the ICO found the airline failed to implement adequate security measures in the processing of signficiant amounts of personal data. This failure broke data protection law and, subsequently, BA was the subject of a cyber-attack during 2018.

It took two months before BA was made aware of the breach by a security researcher and notified the ICO. The data stolen included log in, payment card and travel booking details as well name and address information.

A subsequent ICO investigation found BA should have identified weaknesses in its security and resolved them with security measures that were available at the time. Investigators concluded that had BA addressed these security issues, it could have prevented the attacks. 

Information Commissioner Elizabeth Denham said: “People entrusted their personal details to BA and BA failed to take adequate measures to keep those details secure.

“Their failure to act was unacceptable and affected hundreds of thousands of people, which may have caused some anxiety and distress as a result. That’s why we have issued BA with a £20 million fine – our biggest to date.

“When organisations take poor decisions around people’s personal data, that can have a real impact on people’s lives. The law now gives us the tools to encourage businesses to make better decisions about data, including investing in up-to-date security.”

In June 2019 the ICO issued BA with a notice of intent to fine. The initially proposed figure was for £183 million, however, this was reduced during the regulatory process, which took the economic impact of COVID-19 into account

Nonetheless, the figure is still a significant moment for data privacy and BA, and considering BA’s precarious situation of late, the fine comes as yet another blow to the airline.

Source: Roshan Shah