British Airways is to be fined £20m after losing the personal and financial details of more than 400,000 customers in a cyber attack.
The fine is considerably lower than the £183m fine which the Information Commissioner’s Office (ICO) had initially notified the company of last year.
According to the ICO, the regulator took into account “representations from BA and the economic impact of COVID-19 on their business before setting a final penalty”.
It comes as the company’s chief executive told MPs back in September that the business was “fighting for its survival” as a consequence of the pandemic.
The ICO said it took into account the economic impact of its initial fine as part of its regulatory action policy, which is currently under review.
Announcing the £20m fine, Elizabeth Denham, the information commissioner, described British Airways‘ “failure to act” as “unacceptable” and said the fine was the biggest it had ever issued despite the £163m reprieve.
The credit card details of 429,612 customers were compromised in the incident back in 2018. The ICO confirmed that this “included names, addresses, payment card numbers and CVV numbers of 244,000 BA customers”.
“Other details thought to have been accessed include the combined card and CVV numbers of 77,000 customers and card numbers only for 108,000 customers.
“Usernames and passwords of BA employee and administrator accounts as well as usernames and PINs of up to 612 BA Executive Club accounts were also potentially accessed,” the regulator said.
BA was criticised for failing to prevent and mitigate the risk from cyber attacks, which the ICO said would not “have entailed excessive cost or technical barriers” and some of which were already available through Microsoft, which BA was using.
The investigation also found that BA itself failed to detect the attack on 22 June 2018 and was only alerted to it by a third party more than two months later on 5 September.
“It is not clear whether or when BA would have identified the attack themselves,” the regulator stated.
“This was considered to be a severe failing because of the number of people affected and because any potential financial harm could have been more significant.”
A spokesperson for British Airways, which is owned by Madrid-headquartered International Airlines Group, said: “We alerted customers as soon as we became aware of the criminal attack on our systems in 2018 and are sorry we fell short of our customers’ expectations.
“We are pleased the ICO recognises that we have made considerable improvements to the security of our systems since the attack and that we fully co-operated with its investigation.”