The Information Commissioner’s Office (ICO) has fined British Airways £20 million for a serious data breach which took place in 2018. The breach – which happened due to a cyberattack – compromised the personal and financial details of more than 400,000 British Airway’s customers and staff.
According to the ICO, the data exposed in this attach included names, addresses, payment card numbers and the CVV numbers of 244,000 customers. Other details believed to have been accessed include the combined card and CVV numbers of 77,000 customers and card numbers only for 108,000 customers. Usernames and passwords of employee and administrator accounts, as well as usernames and PINs of up to 612 BA Executive Club accounts, were also potentially accessed.
The hack went undetected for more than two months and was eventually discovered by a third party. According to the ICO:
“It is not clear whether or when BA would have identified the attack themselves. This was considered to be a severe failing because of the number of people affected and because any potential financial harm could have been more significant”.
British Airways was initially facing a £183 million fine for the data breach. However, this amount has been reduced to £20 million after appeal.
What has the ICO said about the British Airways data breach?
According to the ICO, the airline was processing a significant amount of personal data without adequate security measures in place. ICO investigators believe that British Airways should have identified weaknesses in its security and resolved them. If this had happened, the airline would have prevented the 2018 cyber-attack. The measures British Airways could have taken to mitigate or prevent the risk would not have entailed excessive cost or technical barriers.
Speaking about this case, Information Commissioner Elizabeth Denham said:
“People entrusted their personal details to BA and BA failed to take adequate measures to keep those details secure.
“Their failure to act was unacceptable and affected hundreds of thousands of people, which may have caused some anxiety and distress as a result. That’s why we have issued BA with a £20m fine – our biggest to date.
“When organisations take poor decisions around people’s personal data, that can have a real impact on people’s lives. The law now gives us the tools to encourage businesses to make better decisions about data, including investing in up-to-date security.”
Why has the fine been reduced?
In June 2019 the ICO issued British Airways with a notice of intent to fine. At this stage, British Airways was facing a record £183 million fine by the Information Commissioner’s Office (ICO). The penalty would have been equivalent to 1.5 per cent of British Airway’s global turnover.
However, as part of the UK’s regulatory process, the ICO considered representations from British Airways and took the economic impact of COVID-19 on the airline into account before setting the final penalty at £20 million. This penalty was issued under the Data Protection Act 2018 for infringements of the GDPR.
Make a British Airways compensation claim with Keller Lenkner UK
If your data was put at risk in the British Airways data breach, you might be able to make a compensation claim. Keller Lenkner UK has launched a British Airways Data Breach Group Action to help victims achieve justice.