British Airways hit with £20m fine for data breach

Fine reduced from initial figure of £183 million because of the pandemic, ICO says

The Commissioner's Office (ICO) has fined British Airways £20 million for a 2018 hack that saw credit card and personal data of more than 420,000 people stolen.

Customer data was stolen from BA's website and mobile app in a massive hack which ran from August 21st to 5th September, 2018. The airline first said 380,000 customers and BA staff had had data stolen, but later revised this figure upwards as more information emerged. The final figure was 429,612, the ICO said. The stolen data included login details, PINs, payment card details, CVV numbers and passwords, and travel booking information as well names and addresses.

In July last year it was reported that BA faced a £183 million GDPR fine over last the security breach, so the company will no doubt be relieved over the final settlement.

The ICO says the impact of the pandemic, which has hit the airlines particularly hard, was the reason for the reduction.

However, it still represents the largest fine yet issued by the ICO.

"People entrusted their personal details to BA and BA failed to take adequate measures to keep those details secure," said Information Commissioner Elizabeth Denham in a statement.

"Their failure to act was unacceptable and affected hundreds of thousands of people, which may have caused some anxiety and distress as a result. That's why we have issued BA with a £20m fine - our biggest to date."

The ICO said that BA had failed to implement sufficient security around the data, even though measures that could have prevented the hack such as multi-factor authentication were built into the operating system, and also failed to adequately test its systems.

The prolific Magecart group which was behind the attack was also behind a similar skimming hack on Ticketmaster earlier, which it carried out through a JavaScript injection. For BA, the group customised its JavaScript to evade detection.

BA said customers were alerted to the attack as soon as it became known.

"We are pleased the ICO recognises that we have made considerable improvements to the security of our systems since the attack and that we fully co-operated with its investigation," a BA spokesman said.

Commenting on the fine, Stuart Reed, UK director at Orange Cyberdefense, said:

"While the size of the fine may be smaller than many people expected, the impact on the airline in terms of customer trust could have an even bigger impact that the financial cost. The ICO finding that the airline was processing a significant amount of personal data without adequate security measures in place is particularly damning.

Organisations are expected demonstrate best security practice at all times. It is imperative that they recognise that the onus is on them to make sure they have done everything they can to protect customer data. Otherwise, the consequences can be complex and extremely costly. Firms must adopt a layered security approach that includes people, process, and enabling technologies to reduce the risk, minimise the impact of a breach should one occur, and demonstrate diligence and best practice to both customers and governing bodies."