The Commissioner's Office (ICO) has fined British Airways £20 million for a 2018 hack that saw credit card and personal data of more than 420,000 people stolen.
Customer data was stolen from BA's website and mobile app in a massive hack which ran from August 21st to 5th September, 2018. The airline first said 380,000 customers and BA staff had had data stolen, but later revised this figure upwards as more information emerged. The final figure was 429,612, the ICO said. The stolen data included login details, PINs, payment card details, CVV numbers and passwords, and travel booking information as well names and addresses.
In July last year it was reported that BA faced a £183 million GDPR fine over last the security breach, so the company will no doubt be relieved over the final settlement.
The ICO says the impact of the pandemic, which has hit the airlines particularly hard, was the reason for the reduction.
However, it still represents the largest fine yet issued by the ICO.
"People entrusted their personal details to BA and BA failed to take adequate measures to keep those details secure," said Information Commissioner Elizabeth Denham in a statement.
"Their failure to act was unacceptable and affected hundreds of thousands of people, which may have caused some anxiety and distress as a result. That's why we have issued BA with a £20m fine - our biggest to date."
The ICO said that BA had failed to implement sufficient security around the data, even though measures that could have prevented the hack such as multi-factor authentication were built into the operating system, and also failed to adequately test its systems.
BA said customers were alerted to the attack as soon as it became known.
"We are pleased the ICO recognises that we have made considerable improvements to the security of our systems since the attack and that we fully co-operated with its investigation," a BA spokesman said.
Commenting on the fine, Stuart Reed, UK director at Orange Cyberdefense, said:
"While the size of the fine may be smaller than many people expected, the impact on the airline in terms of customer trust could have an even bigger impact that the financial cost. The ICO finding that the airline was processing a significant amount of personal data without adequate security measures in place is particularly damning.
Organisations are expected demonstrate best security practice at all times. It is imperative that they recognise that the onus is on them to make sure they have done everything they can to protect customer data. Otherwise, the consequences can be complex and extremely costly. Firms must adopt a layered security approach that includes people, process, and enabling technologies to reduce the risk, minimise the impact of a breach should one occur, and demonstrate diligence and best practice to both customers and governing bodies."
The alliance wants tech firms to add functionality to their apps for governments to view encrypted messaging; but tech giants argue that any such system could be exploited
Organisations have accrued technical debt in the shift to remote work, and now they have to face the fallout
In a Computing websem, Javvad Malik of KnowBe4 said that companies that lowered security to continue operating in the pandemic must deal with the consequencies - sooner, rather than later
Removal of Huawei equipment from UK infrastructure should be speeded up, report recommends
The Covid-19 pandemic has seen organisations accelerate their cloud strategies, with staff reluctant or unable to work from offices, data centres and many other locations. Computing recently caught up with Justin Augat, VP of Product Marketing at iland,...
Sean Leach, Partner and UK & European patent attorney at intellectual property firm Mathys & Squire, explores the challenges surrounding IP law around machine learning