The UK Information Commissioner’s Office (ICO) has announced that it has fined British Airways (BA) £20m for a 2018 data breach that exposed the personal and financial data of 400,000 customers, despite previously saying it would apply a £183m fine.
The fine, which is detailed in a penalty notice published today, relates to an incident in September 2018, when BA’s systems where accessed by cybercriminals for 16 days without detection. During that time, they redirected users to a bogus site, through which they were able to capture login and payment details, including credit card details and expiry dates, of around 400,000 users.
It was one of the first high-profile cases to assessed under GDPR in the UK, which came into force on 25 May 2018. Under the law, the ICO had the right to fine BA up to 4% of their global annual turnover for the data breach.
The ICO issued an intention to fine BA £183m in July 2019, equivalent to 1.5% of its global annual turnover – the highest amount announced at the time. BA reacted with shock to the decision, and said it would appeal, a move that now appears to have proved highly beneficial for the airline.
The revised £20m fine is final, and a fraction of the previously intended amount.
Covid-19 contributes to reduced BA data breach fine from ICO
A key factor in the decision by the ICO to reduce the fine on BA by so much appears to relate to Covid-19.
The ICO has said that it considered the economic impact of the pandemic on BA, which has been severe, before deciding on a final number.
However, it has remained highly critical of the airline for its lax cybersecurity related to the original breach, and stressed that this remains the largest fine it has ever issued under GDPR.
“People entrusted their personal details to BA and BA failed to take adequate measures to keep those details secure,” said information commissioner Elizabeth Denham.
“Their failure to act was unacceptable and affected hundreds of thousands of people, which may have caused some anxiety and distress as a result. That’s why we have issued BA with a £20m fine – our biggest to date.
“When organisations take poor decisions around people’s personal data, that can have a real impact on people’s lives. The law now gives us the tools to encourage businesses to make better decisions about data, including investing in up-to-date security.”