An ICO investigation found the airline was processing a significant amount of personal data without adequate security measures in place.
This failure broke data protection law and, subsequently, BA was the subject of a cyber-attack during 2018, which it did not detect for more than two months.
The attacker is believed to have potentially accessed the personal data of approximately 429,612 customers and staff. This included names, addresses, payment card numbers and CVV numbers of 244,000 BA customers.
Other details thought to have been accessed include the combined card and CVV numbers of 77,000 customers and card numbers only for 108,000 customers.
Usernames and passwords of BA employee and administrator accounts as well as usernames and PINs of up to 612 BA executive club accounts were also potentially accessed.
ICO investigators found that BA did not detect the attack on 22 June 2018 themselves but were alerted by a third party more than two months afterwards on 5 September. Once they became aware BA acted promptly and notified the ICO.
It is not clear whether or when BA would have identified the attack themselves. This was considered to be a severe failing because of the number of people affected and because any potential financial harm could have been more significant.
ICO investigators found BA ought to have identified weaknesses in its security and resolved them with security measures that were available at the time. Had it done so, this would have prevented the 2018 cyber-attack being carried out in this way, investigators concluded.
Information Commissioner Elizabeth Denham said: ‘Their failure to act was unacceptable and affected hundreds of thousands of people, which may have caused some anxiety and distress as a result. That’s why we have issued BA with a £20m fine – our biggest to date.
‘When organisations take poor decisions around people’s personal data, that can have a real impact on people’s lives. The law now gives us the tools to encourage businesses to make better decisions about data, including investing in up-to-date security.’
Because the BA breach happened in June 2018, before the UK left the EU, the ICO investigated on behalf of all EU authorities as lead supervisory authority under the general data protection regulation (GDPR).
The penalty was issued under the Data Protection Act 2018 for infringements of the GDPR. Previously, the ICO indicated it was considering applying a penalty of £183.39m, but said it had reduced the amount after it narrowed the focus of its action, considered mitigating factors and applied discounts, which included reflecting the economic pressures on the company stemming from the coronavirus crisis.
A BA spokesman said: ‘We are pleased the ICO recognises that we have made considerable improvements to the security of our systems since the attack and that we fully co-operated with its investigation.’
Businesses that infringe key elements of the GDPR requirements can face fines of up to €20m (£18m), or 4% of their worldwide annual revenue from the preceding financial year, whichever amount is higher.
Research with 1,200 companies carried out by RSM’s economic consulting team for Department for Digital, Culture, Media and Sport (DCMS) has found that the introduction of the GDPR has encouraged a greater focus on cyber security.
However, the evidence suggests that it has not impacted all aspects of cyber security equally. More improvements were reported in relation to governance, risk management, data security and systems security, while less change was evident in relation to procurement and supply chain risk management.
Organisations were also more likely to have made changes to data protection (71%) rather than other aspects of cyber security (62%).
Jenny Irwin, RSM’s economic consulting partner said: ‘Cyber risk has been heightened by the coronavirus across every organisation as we rely more on remote working and digital which opens up more areas of exposure.
‘The findings show that GDPR has successfully encouraged improvements in cyber risk management for organisations within scope of the regulation, however companies do need to review practice and policies as a priority.’
British Airways penalty notice