British Airways (BA) must pay a $25.8 million fine for lacking the proper security measures that might have prevented a hacker in 2018 from exposing the financial details of more than 400,000 customers, the U.K.’s Information Commissioner’s Office (ICO) said on Friday (Oct. 16).
“People entrusted their personal details to BA and BA failed to take adequate measures to keep those details secure,” said Information Commissioner Elizabeth Denham. “Their failure to act was unacceptable and affected hundreds of thousands of people, which may have caused some anxiety and distress as a result.”
The ICO’s investigation revealed that the airline broke data protection laws by lacking sufficient security measures when processing customers’ personal information.
The cyberattack went unnoticed for over two months and was ultimately brought to the airline’s attention by a third party, TechCrunch reported.
“We alerted customers as soon as we became aware of the criminal attack on our systems in 2018, and are sorry we fell short of our customers’ expectations,” a BA spokesperson told TechCrunch. “We are pleased the ICO recognizes that we have made considerable improvements to the security of our systems since the attack and that we fully cooperated with its investigation.”
Although $25.8 million is the largest fine handed down to date by the ICO, the BA attack is also one of the U.K.’s biggest data breaches. The agency was originally poised to hit the country’s largest airline with a $236.5 million fine, which represented a percentage of BA’s 2018 income, but the watchdog also took into consideration the devastating financial effects of the pandemic and its especially big impact on airlines.
The data breach involved customers’ names, addresses, payment cards and CVV numbers, as well as usernames and passwords of BA employee and administrator accounts. Additionally, 612 BA Executive Club usernames and PINs were accessed.
BA is one of the many airlines struggling to survive after worldwide travel bans were triggered by the pandemic more than seven months ago. The company announced in April that it was laying off 42,000 people, around 30 percent of its workforce.