The Information Commissioner’s Office (ICO) has issued a fine of £20 million to British Airways, for “failing to protect the personal and financial details of more than 400,000 of its customers”.

The fine relates to a data breach back in 2018, and is the largest penalty issued by the ICO to date, although it is considerably less than the £183 million that the ICO suggested it could impose last year.

British Airways faces £183 million fine for data breach

The ICO said it had “considered both representations from BA and the economic impact of Covid-19 on their business before setting a final penalty”.

In a statement the Office said:

“An ICO investigation found the airline was processing a significant amount of personal data without adequate security measures in place. This failure broke data protection law and, subsequently, BA was the subject of a cyber-attack during 2018, which it did not detect for more than two months.

“ICO investigators found BA ought to have identified weaknesses in its security and resolved them with security measures that were available at the time.

“Addressing these security issues would have prevented the 2018 cyber-attack being carried out in this way, investigators concluded.”

The investigations found that an attacker had potentially access the personal data of approximately 429,612 customers and staff, including the names, addresses, payment card numbers and CVV numbers of 244,000 BA customers.

In addition the usernames and passwords of BA employee and administrator accounts, as well as the usernames and PINs of up to 612 Executive Club accounts were potentially accessed

The ICO said that there were “numerous measures BA could have used to mitigate or prevent the risk of an attacker being able to access the BA network”, from limiting access to applications, data and tool to only that which are required to fulfil a user’s role, to undertaking rigorous testing and protecting employee and third party accounts with multi-factor authentication.

The Office said that “none of these measures would have entailed excessive cost or technical barriers, with some available through the Microsoft Operating System used by BA”.

It did however say that BA had made “considerable improvements to its IT security” since the attack.

Commenting on the decision Information Commissioner Elizabeth Denham said:

“People entrusted their personal details to BA and BA failed to take adequate measures to keep those details secure.

“Their failure to act was unacceptable and affected hundreds of thousands of people, which may have caused some anxiety and distress as a result. That’s why we have issued BA with a £20m fine – our biggest to date.

“When organisations take poor decisions around people’s personal data, that can have a real impact on people’s lives. The law now gives us the tools to encourage businesses to make better decisions about data, including investing in up-to-date security.”,