The ICO found that BA had “adequate security measure in place” when the airline suffered a cyber attack two years ago – a breach that was not detected for more than two months.
Information commissioner Elizabeth Denham said: “People entrusted their personal details to BA and BA failed to take adequate measures to keep those details secure.
“Their failure to act was unacceptable and affected hundreds of thousands of people, which may have caused some anxiety and distress as a result. That’s why we have issued BA with a £20 million fine – our biggest to date.
“When organisations take poor decisions around people’s personal data, that can have a real impact on people’s lives. The law now gives us the tools to encourage businesses to make better decisions about data, including investing in up-to-date security.”
The cyber attack saw the personal data of 429,612 customers and staff being “potentially accessed”. This included the names, addresses, payment card numbers and CVV numbers of 244,000 BA customers.
Even though the attack on BA’s systems and data breach took place on 22 June 2018, it was only identified by a third party on 5 September 2018.
“It is not clear whether or when BA would have identified the attack themselves,” added the ICO. “This was considered to be a severe failing because of the number of people affected and because any potential financial harm could have been more significant.”
Because the cyber attack took place before the UK left the EU, the ICO investigated on behalf of EU authorities under the GDPR regulations.
“Since the attack, BA has made considerable improvements to its IT security,” the ICO noted in its statement.
