The Information Commissioner’s Office has said it will now fine British Airways £20 million following a breach of its systems in 2019, which is significantly lower than the £183 million penalty originally announced against the company.
The UK’s data watchdog said that the final figure had taken into account appeals from British Airways and the economic fallout from the ongoing coronavirus pandemic.
British Airways reveals massive data breach, could face £500m fine under GDPR General Data Protection Regulation (GDPR) British Airways website outage delays check-in for passengers
British Airways revealed it had fallen victim to a cyber attack in September 2018, and that the financial and personal details of around 380,000 customers had been lost.
This was followed by a second incident a month later, with the company admitting that a further 185,000 customers who made bookings using its Avios rewards system during that time may have also been affected.
Following an investigation by the ICO, the attack is said to have involved 429,612 customers and staff in total, with names, addresses, payment card numbers, and CVV numbers of 244,000 customers being lost.
In July 2019, the ICO announced its intention to fine British Airways £183 million, approximately 1.5% of the company’s annual turnover, considered to be the largest fine ever issued against a company under GDPR.
While the new £20 million fine is the largest the ICO has issued to date, it’s still lower than the £50 million fine issued by French regulator CNIL against Google in 2019.
“People entrusted their personal details to BA and BA failed to take adequate measures to keep those details secure,” said Information Commissioner Elizabeth Denham, announcing the enforcement on Friday.
“Their failure to act was unacceptable and affected hundreds of thousands of people, which may have caused some anxiety and distress as a result. That’s why we have issued BA with a £20m fine – our biggest to date.
The regulator said that British Airways had failed to take basic actions to protect customer data, including a lack of multi-factor authentication across at least 13 critical applications. The regulator claims that many basic measures were available for free through the airline’s use of Microsoft Windows, but were not enforced.
It was also found that British Airways was only alerted to the data breach when a third party raised the issue more than two months later, and that there was little evidence that the airline would have ever been able to identify the attack itself.
RELATED RESOURCE
Data: A resource much too valuable to leave unprotected
Protect your data to protect your company
This latter point was considered a severe failing by the watchdog, although it has recognised that security has significantly improved in the months following the ICO's investigation.
"We alerted customers as soon as we became aware of the criminal attack on our systems in 2018 and are sorry we fell short of our customers’ expectations," a British Airways spokesperson said on Friday.
"We are pleased the ICO recognises that we have made considerable improvements to the security of our systems since the attack and that we fully co-operated with its investigation."
-
Should AI PCs be part of your next hardware refresh?AI PCs are fast becoming a business staple and a surefire way to future-proof your business
-
Westcon-Comstor and Vectra AI launch brace of new channel initiativesNews Westcon-Comstor and Vectra AI have announced the launch of two new channel growth initiatives focused on the managed security service provider (MSSP) space and AWS Marketplace.
-
ICO admits it's too slow dealing with complaints – so it's eying up automation to cut staff workloadsNews The UK's data protection authority has apologized for being slow to respond to data protection complaints, saying it's been overwhelmed by increased workloads.
-
“Limited resources” scupper ICO probe into EasyJet breachNews The decision to drop the probe has been described as “deeply concerning” by security practitioners
-
Surge in workplace monitoring prompts new ICO guidelines on employee privacyNews Detailed guidance on how to implement workplace monitoring could prevent data protection blunders
-
TikTok could be hit with £27m fine for failing to protect children's privacyNews Social media firm issued with a notice from the ICO for potential violations of UK data protection laws
-
What is AdTech and why is it at the heart of a regulation storm?In-depth The UK data regulator has come under heavy fire for consistently delaying much-needed action, privacy groups say
-
ICO crackdown on AI recruitment part of three-year vision to save businesses £100 millionNews ICO25 outlines a fresh approach that involves releasing learning materials, advice, and a new ICO-moderated discussion forum for businesses
-
Clearview AI fined £7.5m over improper use of UK dataNews Australian facial recognition firm collected 20 billion images from the internet without consent in order to build its database
-
UK data watchdog cut IT spending by £1.2 million during pandemicNews The ICO’s IT budget has been slashed by around 23% since 2019
