The UK's Information Commissioner’s Office (ICO) has fined British Airways £20 million ($25.9 million)—the largest penalty the office has ever imposed—for failing to protect the personal and financial details of more than 400,000 of its customers, the ICO said Friday.
An ICO investigation found the airline processed a “significant amount” of personal data without adequate security measures in place. The failure broke data protection law and, subsequently, BA became the subject of a 2018 cyberattack during 2018 that it did not detect for more than two months, said the ICO.
ICO investigators found that BA should have identified weaknesses in its security and resolved them with security measures available at the time.
“People entrusted their personal details to BA and BA failed to take adequate measures to keep those details secure,” said information commissioner Elizabeth Denham in a statement. “Their failure to act was unacceptable and affected hundreds of thousands of people, which may have caused some anxiety and distress as a result. That’s why we have issued BA with a £20m fine—our biggest to date.”
Because the BA breach happened in June 2018, before the UK left the EU, the ICO investigated on behalf of all EU authorities, and the other European authorities have approved the penalty.
The ICO believes the attacker to have potentially accessed the personal data of 429,612 customers and staff. The information included names, addresses, payment card numbers, and card verification value numbers of some 244,000 BA customers. The office also said the attacker potentially accessed user names and passwords of BA employee and administrator accounts as well as usernames and PINs of up to 612 BA Executive Club accounts.