The Information Commissioner's Office (ICO) has fined British Airways £20 million for failing to protect the personal and financial details of more than 400,000 customers and staff.
An investigation carried out by the ICO in 2018 found that the airline was processing large amounts of personal data without adequate security measures in place. This resulted in the airline falling victim to a cyberattack that went undiscovered for two months. The investigation uncovered multiple weaknesses in the companies IT systems and detailed how these issues could have been resolved which would have prevented the cyber attack in 2018.
The hackers gained the personal information of approximately 429,000 customers and staff members including names, addresses, payment card numbers and CVV numbers. They were also able to access the username and passwords of British Airway employee and admin accounts along with the PINs of up to 600 British Airway Executive Club accounts.
There were numerous measures British Airways could have used to mitigate or prevent the attackers from being able to access the BA network including:
- Limiting access to applications, data and tools that users wouldn't need to fulfil their role.
- Performing rigorous testing in the form of a simulated cyberattack on the business systems to test for weaknesses (Click for more on Penetration testing).
- Using multi-factor authentication to protect user and third party accounts.
There were additional measures the airline could have taken to prevent this attack, find more details in the listed penalty notice.
Information Commissioner Elizabeth Denham said: “People entrusted their personal details to BA and BA failed to take adequate measures to keep those details secure. Their failure to act was unacceptable and affected hundreds of thousands of people, which may have caused some anxiety and distress as a result. That’s why we have issued BA with a £20m fine – our biggest to date. When organisations make poor decisions around people’s personal data, that can have a real impact on people’s lives. The law now gives us the tools to encourage businesses to make better decisions about data, including investing in up-to-date security.”
Because the BA breach happened in June 2018, before the UK left the EU, the ICO investigated on behalf of all EU authorities as lead supervisory authority under the GDPR. The penalty and action have been approved by the other EU DPAs through the GDPR’s cooperation process.
In June 2019 the ICO issued BA with a notice of intent to fine. As part of the regulatory process the ICO considered both representations from BA and the economic impact of COVID-19 on their business before setting a final penalty.
For more cyber security and data breach news follow ADNS group today.