ICO Fines British Airways £20M
October 19, 2020
The Information Commissioner’s Office (ICO) has fined British
Airways (BA) £20m for failing to protect the personal and financial
details of more than 400,000 of its customers.
An ICO investigation found the airline was processing a significant
amount of personal data without adequate security measures in place.
This failure broke data protection law and, subsequently, BA was the
subject of a cyber-attack during 2018, which it did not detect for
more than two months.
ICO investigators found BA ought to have identified weaknesses in
its security and resolved them with security measures that were
available at the time.
Addressing these security issues would have prevented the 2018
cyber-attack being carried out in this way, investigators concluded.
Information Commissioner Elizabeth Denham said: “People entrusted
their personal details to BA and BA failed to take adequate measures
to keep those details secure.
“Their failure to act was unacceptable and affected hundreds of
thousands of people, which may have caused some anxiety and distress
as a result. That’s why we have issued BA with a £20m fine – our
biggest to date.
“When organisations take poor decisions around people’s personal
data, that can have a real impact on people’s lives. The law now
gives us the tools to encourage businesses to make better decisions
about data, including investing in up-to-date security.”
Because the BA breach happened in June 2018, before the UK left the
EU, the ICO investigated on behalf of all EU authorities as lead
supervisory authority under the GDPR. The penalty and action have
been approved by the other EU DPAs through the GDPR’s cooperation
In June 2019 the ICO issued BA with a notice of intent to fine. As
part of the regulatory process the ICO considered both
representations from BA and the economic impact of COVID-19 on their
business before setting a final penalty.
Details of the cyber attack
attacker is believed to have potentially accessed the personal data
of approximately 429,612 customers and staff. This included names,
addresses, payment card numbers and CVV numbers of 244,000 BA
Other details thought to have been accessed include the combined
card and CVV numbers of 77,000 customers and card numbers only for
Usernames and passwords of BA employee and administrator accounts as
well as usernames and PINs of up to 612 BA Executive Club accounts
were also potentially accessed.
Failure to prevent the attack
There were numerous measures BA could have used to mitigate or
prevent the risk of an attacker being able to access the BA network.
limiting access to applications, data and tools to only that
which are required to fulfil a user’s role
undertaking rigorous testing, in the form of simulating a
cyber-attack, on the business’ systems;
protecting employee and third party accounts with multi-factor