London (Brussels Morning) The UK’s flag carrier airline British Airways (BA) has been fined £20 million (€22 million) by the Information Commissioner’s Office (ICO) for a data breach it was responsible for two years prior.
The penalty, which is the largest given by the ICO, was for a security infringement that impacted more than 400,000 customers in 2018.
Despite the unprecedented figure, the fine falls far below the originally intended fine of £183 million.
However, the ICO said it took into account representations from BA and the economic impact of COVID-19.
The breach occurred when the airline’s system was subject to a cyberattack that stole customers’ logins and payment details along with personal information.
The ICO said it was made aware of the breach two months after BA found out about it from a security researcher. It also found it had every opportunity to protect its systems through multi-factor authentication and other measures but failed to do so.
“When organisations take poor decisions around people’s personal data, that can have a real impact on people’s lives”, said Information Commissioner Elizabeth Denman.
It also said the severity of the failure was marked by the number of people affected and the potential financial harm.
BA maintains it told customers when it found out about the breach.
“We are pleased the ICO recognises that we have made considerable improvements to the security of our systems since the attack and that we fully co-operated with its investigation”, said a spokesman.
While the fine is a fraction of what was expected, the sizeable amount shows “the ICO means business and is not letting struggling companies off the hook for their data protection failures”, according to data protection officer Carl Gottlieb, speaking to the BBC.
The announcement caused shares in BA’s parent company IAG ICAG.L to drop Friday.
On Monday, the group announced Sean Doyle from Irish airline Aer Lingus would replace Alex Cruz as chief executive of BA.