ICO fines British Airways £20m for customer data breach

British Airways has been fined a record £20m for failing to protect the personal and financial details of more than 400,000 of its customers.

An investigation by the Information Commissioner's Office (ICO) found that the airline had processed a significant amount of personal data without adequate security measures in place. BA was then hit by a cyber-attack in 2018, which went undetected for more than two months.

The attacker is believed to have potentially accessed the personal data of approximately 429,612 customers and staff, including names, addresses and credit card details.

According to the ICO, BA should have identified weaknesses in its security and resolved them with security measures that were available at the time. Doing so would have prevented the 2018 cyber-attack being carried out in this manner.

Commenting on the case, Information Commissioner Elizabeth Denham said: 'People entrusted their personal details to BA and BA failed to take adequate measures to keep those details secure.

'Their failure to act was unacceptable and affected hundreds of thousands of people, which may have caused some anxiety and distress as a result. That's why we have issued BA with a £20m fine — our biggest to date.'

The ICO investigated the data breach on behalf of all the European Union authorities as the lead supervisory authority under the General Data Protection Regulation (GDPR), as the incident occurred before the UK left the EU.

In 2019 the ICO proposed a fine of £183m but the amount was reduced after taking into account representations from BA and the economic impact of Covid-19 on its business.

Since the attack, the airline has upgraded its IT security.

> Go to Transport industry homepage