UK fines British Airways for failures in 2018 data hack

UK’s ICO downgrades British Airways data breach fine to £20M, after originally setting it at £184M

British Airways fined £20m for data breach affecting 400000 customers

The Commissioner's Office (ICO) has fined British Airways £20 million for a 2018 hack that saw credit card and personal data of more than 420,000 people stolen.

The ICO finding that the airline was processing a significant amount of personal data without adequate security measures in place is particularly damning.

"Their failure to behave was unacceptable and affected tons of of hundreds of individuals, which can have precipitated some anxiousness and misery because of this", UK Data Commissioner Elizabeth Denham mentioned in a statement, including that the 20 million-pound high quality was the most important her company has issued to this point.

"That's why we have issued BA with a GBP20 million fine â€" our biggest to date.

"We are pleased the ICO recognises that we have made considerable improvements to the security of our systems since the attack and that we fully co-operated with its investigation".

It's also unclear whether the airline would have spotted the attack on its own, which was considered a "severe failing" because of the number of people affected and the potential financial damage that could have been done, according to regulators.

In June 2019, ICO issued the airline with a notice of intent to fine, finally revealing the actual size of the proposed financial penalty. The ICO notes that, but for the Covid-19 Policy which allows it to take account of the impacts of the pandemic, the original fine would have been £24m.

USA hotel operator Marriott International in March suffered its second data incident in less than two years, with information of about 5.2 million of its hotel guests suffering a breach.

In a statement released today, the ICO concluded: 'It is not clear whether or when BA would have identified the attack themselves. It suggested various measures that BA could have taken to prevent the breach from occurring, which were not implemented, and commented that each of the several steps that the attacker took, leading to the eventual breach of personal data, "could have been prevented, or its impact mitigated, by BA implementing one or more of a range of appropriate measures that were open to it". Furthermore, 77,000 customers had both their card and CVV numbers exposed, while 108,000 had just their card numbers infiltrated.

Once they became aware BA acted promptly and notified the ICO.

On Monday, IAG announced it was replacing BA's chief executive Alex Cruz with Aer Lingus boss Sean Doyle with immediate effect. Amid a cyberattack that lasted two months, the company lacked the adequate security to protect itself against it.

Mr Gallego is hoping to spearhead a recovery for the airline and is thought to have wanted a new face at the helm of BA, with Mr Cruz's relationship with workers, unions and politicians growing increasingly fractious.

Latest News