The UK’s Information Commissioners Office (ICO) has fined British Airways £20m, the biggest ever issued, following a data breach in 2018 that saw the personal details of over 400,000 customers exposed.
The data loss was as a result of a cyber attack on the airline but the ICO found that British Airways had routinely been storing customer data without “adequate security measures” in place to prevent their theft.
Information Commissioner Elizabeth Denham said: “People entrusted their personal details to BA and BA failed to take adequate measures to keep those details secure.”
“Their failure to act was unacceptable and affected hundreds of thousands of people, which may have caused some anxiety and distress as a result. That’s why we have issued BA with a £20m fine – our biggest to date.
“When organisations take poor decisions around people’s personal data, that can have a real impact on people’s lives. The law now gives us the tools to encourage businesses to make better decisions about data, including investing in up-to-date security.“
The data breach included personal details such as names, addresses and travel documents as well as payment information including CCV2 numbers, which should not be stored.
The ICO highlighted a number of measures British Airways could have done to prevent the attack and subsequent data loss including limiting access to the systems and carrying out regular tests against cyber attacks.
The breach was compounded when British Airways themselves failed to notice it. The airline only knew about the breach after being alerted by a 3rd party some 3 months after the attack.
In response, a spokesperson for British Airways said “We alerted customers as soon as we became aware of the criminal attack on our systems in 2018 and are sorry we fell short of our customers’ expectations.
“We are pleased the ICO recognises that we have made considerable improvements to the security of our systems since the attack and that we fully co-operated with its investigation.“
Read the full announcement from the ICO.