Published: Sun, October 18, 2020
Economy | By

British Airways fined $25 million over massive data breach

British Airways fined $25 million over massive data breach

British Airways has been fined £20 million ($26 million) by the Information Commissioner's Office (ICO) in the United Kingdom over a data breach in 2018 that left the personal and financial details of 429,612 BA customers exposed.

Following an investigation spanning nearly two years, the ICO concluded that British Airways did not have sufficient security measures in place to process significant amounts of personal data.

The Information Commissioner's Office (ICO) said its investigators found BA should have identified weaknesses in its security and resolved them with measures available at the time, which would have prevented the data breach.

"Their failure to act was unacceptable and affected hundreds of thousands of people, which may have caused some anxiety and distress as a result", ICO investigators outlined in the statement. The ICO announced the actual fine today, and it's only £20 million ($25.85 million), nearly one-tenth of the amount proposed past year.

Although the penalty is by far the biggest imposed in the United Kingdom since the introduction of the EU General Data Protection Regulation in 2018, it is vastly reduced from the £183m that the ICO announced in June 2019 that it meant to levy.

The attacker is believed to have potentially accessed the personal data of around 429,612 customers and staff. Usernames and pin numbers of BA Executive Club accounts also were compromised.


The BA probe was different because it was an EU-wide effort led by the ICO.

It's also unclear whether the airline would have spotted the attack on its own, which was considered a "severe failing" because of the number of people affected and the potential financial damage that could have been done, according to regulators.

"When organizations make the wrong decisions about other people's personal data, it can have a real impact on their lives". The law now gives us tools that encourage more efficient decision-making when it comes to data, including investments in up-to-date security technologies, "commented Elizabeth Denman, an ICO member". Having completed this process, the regulator said that it had "considered both representations from BA and the economic impact of Covid-19 on their business before setting a final penalty".

For his part, a British Airways spokesperson said: "We have warned customers as soon as we become aware of the attacks on our electronic systems in 2018 and apologize to our customers".

British Airways could have taken several cheap steps to prevent the risk of such an attack, such as limiting access to applications and protecting accounts with "multi-factor authentication", officials said.

Mystery surrounds the sudden departure of Mr Cruz, who less than a month ago faced MPs to defend the airline's actions during the pandemic.

Like this: