Data watchdog issues biggest ever fine over airline cyberattack

Information Commissioner's Office issues its largest financial penalty to date - and it could've been even higher if it wasn't for coronavirus.
Written by Danny Palmer, Senior Writer

British Airways has been fined £20 million for "unacceptable" failures that led to personal details of hundreds of thousands of customers' data being being stolen by hackers in 2018.

The fine represents the largest financial penalty issued by the UK's Information Commissioner's Office (ICO) to date and is based on GDPR data protection regulation.

The incident started in summer 2018 and went undetected by the airline for over two months, before being finally publicly disclosed in September 2018.

SEE: IT pro's guide to GDPR readiness (free PDF)

Over 400,000 British Airways customers who used the website during the summer of 2018 were redirected to a fraudulent website run by cyber criminals who harvested personal details including names, addresses and payment card information.

An investigation by the ICO concluded that British Airways should've been able to identify the cybersecurity weaknesses and resolved them with security measures available at the time.

"People entrusted their personal details to BA and BA failed to take adequate measures to keep those details secure," said Information Commissioner Elizabeth Denham.

"Their failure to act was unacceptable and affected hundreds of thousands of people, which may have caused some anxiety and distress as a result. That's why we have issued BA with a £20m fine – our biggest to date."

The ICO's investigation concluded that there were numerous measures British Airways could have taken to mitigate the attack that weren't being used.

These include limiting access to applications to only those required to fulfil a user's role, undertaking rigorous testing of cybersecurity, and protecting accounts with multi-factor authentication.

The ICO notes that none of these measures would have required "excessive cost or technical barriers" and some of these undeployed security measures were available but weren't used.

The investigation also concluded that it's "not clear" whether British Airways would have identified the attack themselves, having only been alerted to the incident by a third party. The ICO considers this a "severe failing" because of the number of people who had their data compromised by the attack.

SEE: Cybersecurity warning: Hackers are targeting your smartphone as way into the company network

However, in the years since the attack, the ICO notes that British Airways has made "considerable" improvements to information security procedures.

"We alerted customers as soon as we became aware of the criminal attack on our systems in 2018 and are sorry we fell short of our customers' expectations," a British Airways spokesperson told ZDNet.

"We are pleased the ICO recognises that we have made considerable improvements to the security of our systems since the attack and that we fully co-operated with its investigation."

The ICO initially issued BA with a notice of intent to fine in June last year and has come to the final figure of £20m based on regulatory processes – and the impact COVID-19 has had on the business.

"When organisations take poor decisions around people's personal data, that can have a real impact on people's lives. The law now gives us the tools to encourage businesses to make better decisions about data, including investing in up-to-date security," said Denham.


Editorial standards