British Airways handed “biggest ever” fine under General Data Protection Act

British Airways (BA) has been fined £20 million after “failing to protect” the personal data of more than 400,000 of its customers, it has been announced.

The fine relates to a breach of the General Data Protection Act (GDPR) that took place in 2018.

While significantly smaller than the £183 million penalty first handed down in 2019, the fine is still the biggest issued to date.

According to the Information Commissioner’s Office (ICO), who led the investigation, BA had processed a considerable amount of personal data without “adequate security measures in place”, leading to a cyber-attack that it did not detect for more than two months.

This resulted in the exposure of names, addresses, payment card numbers and CVV numbers of 244,000 BA customers, as well as the combined card and CVV numbers of 77,000 customers and card numbers only for 108,000 customers.

Investigators said BA could have identified weaknesses in its cybersecurity system and prevented the cyber-attack had the correct protections been in place. This included:

  • Limiting access to applications, data and tools to only that which are required to fulfil a user’s role
  • Undertaking rigorous testing, in the form of simulating a cyber-attack, on the business’ systems, and
  • Protecting employee and third party accounts with multi-factor authentication.

ICO added that none of these measures would have “entailed excessive cost or technical barriers, with some available through the Microsoft Operating System used by BA”.

Commenting on the case, Information Commissioner Elizabeth Denham said: “People entrusted their personal details to BA and BA failed to take adequate measures to keep those details secure.

“Their failure to act was unacceptable and affected hundreds of thousands of people, which may have caused some anxiety and distress as a result.”

The ICO added that it had considered both representations from BA and the economic impact of COVID-19 on their business before setting the final penalty.

For data protection support and advice, please get in touch with our expert team today.