British Airways was fined 20 million pounds (R430 million) by the United Kingdom data protection watchdog over a breach that compromised the personal and financial details of more than 400,000 customers, a cut to a much heftier fine initially planned by the regulator. But it's a major step down from the £184 million penalty - 1.5% of BA's revenues in the 2018 calendar year - that the regulator had originally set last year.
The U.K. Information Commissioners' Office on Friday said its investigation into a 2018 cyber attack at the company found that "the airline was processing a significant amount of personal data without adequate security measures in place", exposing people's data unnecessarily.
At that time, it was estimated that hackers obtained personal data of around 380,000 BA's customers, including names, addresses, credit card numbers, expiry dates and security codes, but not travel or passport details, as the airline stressed. Overall, approximately 430,000 data subjects were affected. The attack may have also exposed usernames and passwords for the airline's employee and administrator accounts along with usernames personal identification numbers for more than 600 "Executive Club" accounts, officials said.
The ICO concluded: "It is not clear whether or when BA would have identified the attack themselves".
'When organisations take poor decisions around people's personal data, that can have a real impact on people's lives'. In addition, the ICO commented that although special category data was not involved, the financial data compromised was considered sensitive. Having completed this process, the regulator said that it had "considered both representations from BA and the economic impact of Covid-19 on their business before setting a final penalty". Mitigating factors included the fact that BA did not gain any financial benefit from the breach, notified the ICO promptly on becoming aware of it, had no relevant previous infringements and offered to compensate individuals for financial loss suffered as a direct result of the theft of their card details. The ICO stated that BA had cooperated fully with the investigation, and noted the improvements that have been made to BA's IT security since the breach.
The fine is the highest-ever leveled by the ICO.
After discovering the matter in 2018, the office said at the time that the fine to be imposed on British Airways would amount to about 183 million pounds sterling, but it was reduced to about 20 million pounds sterling with the hard conditions the company is going through due to the Corona epidemic. This is still significantly less that the maximum possible fine of 4% of an undertaking's turnover, and indeed considerably less than 1% of BA's worldwide annual turnover.