British Airways fined £20m for data breach affecting more than 400,000 customers

Sign up to Simon Calder’s free travel email for expert advice and money-saving discounts

Get Simon Calder’s Travel email

Please enter a valid email address

Please enter a valid email address

SIGN UP

I would like to be emailed about offers, events and updates from The Independent. Read our privacy policy

British Airways has been fined £20m for an “unacceptable” data breach that affected more than 400,000 customers in 2018.

Following an investigation, the Information Commissioner's Office (ICO) concluded that the airline failed to adequately protect the personal and financial details of clients, and issued its biggest fine to date.

The UK flag carrier was also found to have broken data protection laws by processing a “significant amount” of personal data without having solid enough security measures in place, leading to a large-scale cyberattack in June 2018.  

This data breach went undetected for two months.

It’s believed the attacker potentially accessed the personal data of 429,612 passengers and staff, including the names, addresses, payment card numbers and CVV numbers of 244,000 BA customers.

The attack only came to light when a third party alerted BA more than two months after the fact, on 5 September.

According to ICO investigators, it was unclear whether the breach would have ever been detected by the airline, which they deemed a “severe failing” considering the number of people affected.

British Airways also should have been able to identify the weaknesses in its security systems and address them using technology that was available at the time, found the ICO.

Investigators ruled that, had these security issues been resolved, the 2018 cyberattack would have been prevented.

“People entrusted their personal details to BA and BA failed to take adequate measures to keep those details secure,” said information commissioner Elizabeth Denham.

“Their failure to act was unacceptable and affected hundreds of thousands of people, which may have caused some anxiety and distress as a result. That's why we have issued BA with a £20m fine – our biggest to date.

“When organisations take poor decisions around people's personal data, that can have a real impact on people's lives. The law now gives us the tools to encourage businesses to make better decisions about data, including investing in up-to-date security.”

Numerous measures could have been taken by BA, according to the investigation, including undertaking rigorous testing, in the form of simulating a cyberattack, on the business' systems; protecting employee and third party accounts with multi-factor authentication; and limiting access to applications, data and tools to only that which are required to fulfil a user's role.

These measures would not “have entailed excessive cost or technical barriers”, said the ICO.

However, the investigation noted that the carrier has made considerable improvements to its IT security since the attack.

A British Airways spokesperson said: “We alerted customers as soon as we became aware of the criminal attack on our systems in 2018 and are sorry we fell short of our customers’ expectations.

“We are pleased the ICO recognises that we have made considerable improvements to the security of our systems since the attack and that we fully co-operated with its investigation.”