The Information Commissioner’s Office (ICO) has fined British Airways (BA) £20m for failing to protect the personal and financial details of more than 400,000 of its customers.
This failure broke data protection law and, subsequently, BA was the subject of a cyber-attack during 2018, which it did not detect for more than two months.
The £20m fine is smaller than the £183m the ICO originally intended to fine BA, as it took the impact of Covid-19 into account.
The attacker is believed to have potentially accessed the personal data of approximately 429,612 customers and staff. This included names, addresses, payment card numbers and CVV numbers of 244,000 BA customers.
The ICO found that BA could have used numerous measures to mitigate or prevent the attack, including limiting access to applications, data and tools to only that which are required to fulfil a user’s role; undertaking rigorous testing on the business’ systems and protecting employee and third party accounts with multi-factor authentication.
Elizabeth Denham, Information Commissioner said: “People entrusted their personal details to BA and BA failed to take adequate measures to keep those details secure.
The penalty and action have been approved by the other EU DPAs through the GDPR’s cooperation process.
Registration now OPEN for PrivSec Global
Taking place across four days from 30 Nov to 3 Dec, PrivSec Global, will be the largest data protection, privacy and security event of 2020.
Reserve your place today and gain access to the entire event free of charge. With all sessions available to view live or on-demand, you can build a personalised agenda based on your key focus topics and make the event fit around your work schedule.
We have been awarded the number 1 GDPR Blog in 2019 by Feedspot.