British Airways will have to pay a £20 ($25.9) million fine for a 2018 data breach wherein over 430,000 customers’ data was compromised. The Information Commissioner’s Office cited the Data Protection Act 2018 and the GDPR as the basis of the fine.
The United Kingdom’s Information Commissioner’s Office (ICO) on Monday penalized the country’s flagship airline British Airways under the Data Protection Act 2018 for infringements of the GDPR. ICO fined British Airways a whopping £20 million or $25.9 million, which is the biggest-ever penalty imposed by the U.K. data protection watchdog.
According to ICO, British Airways failed to implement appropriate measures in protecting the personal data of over 400,000 people, including employees and customers. The failure to do so resulted in a cyberattack on the company, which ICO said wasn’t detected for two months post the June 2018 cyber incident.
The U.K. watchdog believes identification and implementation of appropriate data security measures pertaining to the GDPR and Data Protection Act 2018 would have prevented the hack that compromised information of 429,612 people.
The attack affected potentially 429,612 customers and staff, including names and financial details. BA failed to put in place a number of IT security measures, such as multi-factor authentication, and they were not aware of the attack until a third party alerted them. pic.twitter.com/CYKcHBcR4i
— ICO (@ICOnews) October 16, 2020
Measures such as multi-factor authentication (MFA), rigorous testing and attack simulation could have potentially mitigated the attack. Information Commissioner Elizabeth Denham said, “Their failure to act was unacceptable and affected hundreds of thousands of people, which may have caused some anxiety and distress as a result. That’s why we have issued BA with a £20m fine – our biggest to date. When organisations take poor decisions around people’s personal data, that can have a real impact on people’s lives. The law now gives us the tools to encourage businesses to make better decisions about data, including investing in up-to-date security.”
See Also: Barnes & Noble Falls Foul of Cyberattack
Breached data included:
- The names, addresses, payment card numbers and CVV numbers of 244,000 of the airline’s customers
- Combined card and CVV numbers of 77,000 customers and card numbers only for 108,000 customers
- Usernames and passwords of British Airways employee and administrator accounts, and possibly usernames and PINs of up to 612 British Airways Executive Club
ICO had originally issued a notice of intent to fine the air carrier with $183 million in June 2019. After statements by the British Airways representatives, and considering the economic impact of the COVID-19 (which grounded all flights for months), the data protection watchdog ended up imposing a much lower $25.9 million penalty (which is still its biggest yet).
David McIlwaine, Partner at law firm Pinsent Masons, said, “Whilst the fine has reduced from £183m, as outlined in the notice of intent, to £20m, only £4m of that reduction has been specifically attributed to Covid-19. It is hard to think of an industry that has been affected more by the pandemic than the airline industry, so clearly organisations should not expect significant leniency during these times.”
A spokesperson from British Airways said, “We are pleased the ICO recognizes that we have made considerable improvements to the security of our systems since the attack and that we fully cooperated with its investigation.”
Denham adds, “People’s personal data is just that – personal. When an organisation fails to protect it from loss, damage or theft it is more than an inconvenience. That’s why the law is clear – when you are entrusted with personal data you must look after it. Those that don’t will face scrutiny from my office to check they have taken appropriate steps to protect fundamental privacy rights.”
Let us know if you liked this news on LinkedIn, Twitter, or Facebook. We would love to hear from you!