British Airways Hit With Record £20m Fine For Data Breach

A BA British Airways aeroplane. Image credit Steve Mann / Shutterstock

Data protection watchdog reconsiders its £183.4 million fine against British Airways for 2018 data breach, and lowers it down to £20 million

British Airways has been hit with a record £20 million fine by the British data protection watchdog, the Information Commissioners Office (ICO).

On 6 September of 2018 BA said its systems had been hacked, that resulted in the data of 400,000 customers being harvested by attackers as it was entered.

To make matters worse, BA was completely unaware of the hack for two months, as the attack began in June 2018, during the busy summer holiday period. The airline only became aware it had been compromised when it was notified by a third party.

Record fine

And now the ICO has decided it will fine British Airways (BA) £20m for failing to protect the personal and financial details of more than 400,000 of its customers.

But that (surprisingly) is good news for the airline, as it could have been much, much worse.

This is because back in July 2019, the ICO had proposed to fine British Airways an eye watering £183.39 million penalty for the data breach.

At the time, the airline said it was “surprised and disappointed” by the decision, and said it would make representations to the regulator ahead of a final decision.

And now the ICO has announced it has settled on a fine of just £20 million, which is still a record amount. The regulator said it had considered BA’s representations and took into account the economic impact caused by the global Coronavirus pandemic, to reach its £20 million figure.

The fine was issued under GDPR guidelines, as the UK at the time of the hack was still a part of the European Union.

The ICO said that the penalty and action has been approved by the other EU DPAs through the GDPR’s cooperation process.

The ICO said that its investigation had found the airline was processing a significant amount of personal data without adequate security measures in place.

ICO investigators found BA ought to have identified weaknesses in its security and resolved them with security measures that were available at the time.

Real world impact

“People entrusted their personal details to BA and BA failed to take adequate measures to keep those details secure,” said Information Commissioner Elizabeth Denham.

“Their failure to act was unacceptable and affected hundreds of thousands of people, which may have caused some anxiety and distress as a result,” she added. “That’s why we have issued BA with a £20m fine – our biggest to date.”

“When organisations take poor decisions around people’s personal data, that can have a real impact on people’s lives,” said Denham. “The law now gives us the tools to encourage businesses to make better decisions about data, including investing in up-to-date security.”

Significant consequences

One security expert said the size of this record fine should serve as a warning to organisations of the real financial impact that can be incurred for failing to properly secure customer data.

“Fines are, without doubt, a necessary part of the data breach chain,” explained Jake Moore, cybersecurity specialist at ESET. ” Organisations must understand they cannot get away with compromising personal data – which will have potentially cost customers more than this initial fine.”

“While some organisations view these fines simply as a potentially inevitable business cost, the fine issued must represent the real cost to customers and the situation they have been placed in,” said Moore.

“Significant consequences to businesses are of the utmost importance at the current moment, as the rapid, potentially haphazard move to remote working has caused a shift in priorities for some – with organisations potentially neglecting data protection amongst the chaos,” Moore concluded.

It should be noted that British Airways is not the only airline to have been compromised.

In May this year budget airline easyJet admitted it had been subjected to a “highly sophisticated” cyber-attack that had compromised the data of millions of customers.