The Information Commissioner鈥檚 Office (ICO) has聽fined British Airways (BA) 拢20m for failing to protect the personal and financial details of more than 400,000 of its customers.
An ICO investigation found the airline was processing a significant amount of personal data without adequate security measures in place.
It said this failure broke data protection law and, subsequently, BA was the subject of a cyber-attack during 2018, which it did not detect for more than two months. The attack’s existence was raised by a third party.
The attacker is believed to have potentially accessed the personal data of approximately 429,612 customers and staff. This included names, addresses, payment card numbers and CVV numbers of 244,000 BA customers.
Other details thought to have been accessed include the combined card and CVV numbers of 77,000 customers and card numbers only for 108,000 customers.
Usernames and passwords of BA employee and administrator accounts as well as usernames and PINs of up to 612 BA Executive Club accounts were also potentially accessed.
The ICO said there were numerous measures BA could have used to mitigate or prevent the risk of an attacker being able to access the BA network, including聽limiting access to applications, data and tools to only that which are required to fulfil a user鈥檚 role, undertaking rigorous testing, in the form of simulating a cyber-attack,聽 and protecting employee and third party accounts with multi-factor authentication.
None of these measures would have entailed excessive cost or technical barriers, said the ICO, with some available through the Microsoft Operating System used by BA.
It said since the attack, BA has made considerable improvements to its IT security.
ICO investigators found BA “ought to have identified weaknesses in its security and resolved them with security measures that were available at the time.”
Addressing these security issues would have prevented the 2018 cyber-attack being carried out in this way, investigators concluded.
Information Commissioner Elizabeth Denham said: 鈥淧eople entrusted their personal details to BA and BA failed to take adequate measures to keep those details secure.
鈥淭heir failure to act was unacceptable and affected hundreds of thousands of people, which may have caused some anxiety and distress as a result. That鈥檚 why we have issued BA with a 拢20m fine 鈥 our biggest to date.
鈥淲hen organisations take poor decisions around people鈥檚 personal data, that can have a real impact on people鈥檚 lives. The law now gives us the tools to encourage businesses to make better decisions about data, including investing in up-to-date security.鈥
Because the BA breach happened in June 2018, before the UK left the EU, the ICO investigated on behalf of all EU authorities as lead supervisory authority under the GDPR.
The penalty and action have been approved by the other EU DPAs through the GDPR鈥檚 cooperation process.
In June 2019 the ICO issued BA with a notice of intent to fine. As part of the regulatory process the ICO considered both representations from BA and the economic impact of COVID-19 on their business before setting a final penalty.
A spokesperson from British Airways told 老九品茶Cloud: “We alerted customers as soon as we became aware of the criminal attack on our systems in 2018 and are sorry we fell short of our customers鈥 expectations.
“We are pleased the ICO recognises that we have made considerable improvements to鈥痶he security of our systems since the attack and that we fully co-operated with its investigation.”