Published 16:33 IST, October 18th 2020
British Airways fined £20 MN for data breach affecting 400,000 customers
“A significant amount of personal data without adequate security measures in place” was being processed by UK’s British Airways, ICO said in a release.
On October 17, British Airways was fined £20 MN by the Information Commissioner’s Office (ICO) in a data breach scam that compromised the information of more than 400,000 customers. “A significant amount of personal data without adequate security measures in place” was being processed by the UK’s leading airliner company that eventually led to data protection law violation resulting in a mega cyber-attack in 2018 that escaped scrutiny for approximately 2 months.
In an official report, the ICO watchdog said that it fined BA after identifying glitches with respect to security measures, which, otherwise, would have prevented the 2018 cyber-attack. The ICO investigators concluded that BA’s failure of safeguarding the customer’s personal and sensitive information violated data protection law and hence a penalty, keeping in consideration the COVID-19 outbreak, has been charged.
Information Commissioner, Elizabeth Denham said in the report, “People entrusted their personal details to BA and BA failed to take adequate measures to keep those details secure.”
Further, she added, “Their failure to act was unacceptable and affected hundreds of thousands of people, which may have caused some anxiety and distress as a result.”
BA’s fine of £20m fine is being called as ICO’s biggest penalties to date imposed by the investigators. “When organizations take poor decisions around people’s personal data, that can have a real impact on people’s lives,” Denham reiterated, with a viewpoint that protection of customer information registered with firms was of utmost importance. “Law now gives us the tools to encourage businesses to make better decisions about data, including investing in up-to-date security,” she said.
We have fined British Airways £20 million for failing to protect the personal and financial details of more than 400,000 of its customers.
— ICO (@ICOnews) October 16, 2020
Read more about the investigation here: https://t.co/qCzdIsXZBh pic.twitter.com/6XDUzjaec0
Cyber attack of 2018
Ahead of UK’s exit from the EU, the ICO initiated an investigation on British Airways as lead supervisory authority a GDPR. ICO dispatched a notice of intent to fine as a regulatory process in June 2019 post-investigation, which was approved by the other EU DPAs. In 2018, a cyber attacker accessed the personal data of approximately 429,612 customers and staff and compromised the names, addresses, payment card numbers, and CVV numbers of 244,000 BA customers. While credit and debit card numbers of an estimated 108,000 customers were compromised, as many as 77,000 customers’ card CVVs were stolen by the cybercriminals. Furthermore, the investigators found that the usernames, PINS, and passwords of over 612 executive clubs were leaked in the attack.
The attack affected potentially 429,612 customers and staff, including names and financial details. BA failed to put in place a number of IT security measures, such as multi-factor authentication, and they were not aware of the attack until a third party alerted them. pic.twitter.com/CYKcHBcR4i
— ICO (@ICOnews) October 16, 2020
While the cyberattack occurred on the BA network, it was found that the loopholes in measures such as access to applications, data and tools limits, rigorous testing on business’ systems, and lack of multi-factor authentication on third-party accounts lead to the attack. “ICO investigators found that BA did not detect the attack on 22 June 2018 themselves but was alerted by a third party more than two months afterward on 5 September,” investigators said in the report.
Updated 16:34 IST, October 18th 2020