British Airways Hit With Record £20m Fine For Data Breach

British Airways has been hit with a record £20 million fine by the British data protection watchdog, the Information Commissioners Office (ICO).

On 6 September of 2018 BA said its systems had been hacked, that resulted in the data of 400,000 customers being harvested by attackers as it was entered.

To make matters worse, BA was completely unaware of the hack for two months, as the attack began in June 2018, during the busy summer holiday period. The airline only became aware it had been compromised when it was notified by a third party.

Record fine

And now the ICO has decided it will fine British Airways (BA) £20m for failing to protect the personal and financial details of more than 400,000 of its customers.

But that (surprisingly) is good news for the airline, as it could have been much, much worse.

This is because back in July 2019, the ICO had proposed to fine British Airways an eye watering £183.39 million penalty for the data breach.

At the time, the airline said it was “surprised and disappointed” by the decision, and said it would make representations to the regulator ahead of a final decision.

And now the ICO has announced it has settled on a fine of just £20 million, which is still a record amount. The regulator said it had considered BA’s representations and took into account the economic impact caused by the global Coronavirus pandemic, to reach its £20 million figure.

The fine was issued under GDPR guidelines, as the UK at the time of the hack was still a part of the European Union.

The ICO said that the penalty and action has been approved by the other EU DPAs through the GDPR’s cooperation process.

The ICO said that its investigation had found the airline was processing a significant amount of personal data without adequate security measures in place.

ICO investigators found BA ought to have identified weaknesses in its security and resolved them with security measures that were available at the time.

Real world impact

“People entrusted their personal details to BA and BA failed to take adequate measures to keep those details secure,” said Information Commissioner Elizabeth Denham.

“Their failure to act was unacceptable and affected hundreds of thousands of people, which may have caused some anxiety and distress as a result,” she added. “That’s why we have issued BA with a £20m fine – our biggest to date.”

“When organisations take poor decisions around people’s personal data, that can have a real impact on people’s lives,” said Denham. “The law now gives us the tools to encourage businesses to make better decisions about data, including investing in up-to-date security.”

Significant consequences

One security expert said the size of this record fine should serve as a warning to organisations of the real financial impact that can be incurred for failing to properly secure customer data.

“Fines are, without doubt, a necessary part of the data breach chain,” explained Jake Moore, cybersecurity specialist at ESET. ” Organisations must understand they cannot get away with compromising personal data – which will have potentially cost customers more than this initial fine.”

“While some organisations view these fines simply as a potentially inevitable business cost, the fine issued must represent the real cost to customers and the situation they have been placed in,” said Moore.

“Significant consequences to businesses are of the utmost importance at the current moment, as the rapid, potentially haphazard move to remote working has caused a shift in priorities for some – with organisations potentially neglecting data protection amongst the chaos,” Moore concluded.

It should be noted that British Airways is not the only airline to have been compromised.

In May this year budget airline easyJet admitted it had been subjected to a “highly sophisticated” cyber-attack that had compromised the data of millions of customers.

Tom Jowitt

Tom Jowitt is a leading British tech freelancer and long standing contributor to Silicon UK. He is also a bit of a Lord of the Rings nut...

Recent Posts

Amazon Alexa Recovers After Morning Outage

Alexa wake up alarm didn't work this morning? Smart lights didn't turn on? Outage of…

2 days ago

UK, Australia Reach Cyber, Critical Tech Agreement

Australia says it will 'fight back' against nation state cyberattacks, after agreements with the UK…

2 days ago

Italian Regulator Recalculates Apple, Amazon Fines

Italian regulator admits it has redetermined the fines against Apple and Amazon, over the sale…

3 days ago

Red Cross ‘Appalled’ As Hackers Steal Humanitarian Data Of 515,000 People

A new low. International Committee of the Red Cross shuts down reunification system, after hackers…

3 days ago

Russia Proposes Ban On Cryptocurrencies, Crypto Mining

Russia's central bank has this week proposed the banning on the use and mining of…

3 days ago