UK data watchdog hits British Airways with $26m fine

The United Kingdom’s Information Commissioner’s Office (ICO) has fined British Airways (BA, London Heathrow) GBP20 million pounds (USD26 million) for failing to protect the personal and payment card details of around 430,000 of its customers and staff, the subject of a 2018 cyber attack, it said in a statement explaining its actions on October 16. An ICO investigation found that the airline was processing a significant amount of personal data without adequate security measures in place. This broke data protection law and, subsequently, BA was the victim of a cyber-attack, on June 22, 2018, which it failed to detect until a third party noticed it two months later, on September 5. “Their failure to act was unacceptable and affected hundreds of thousands of people, which may have caused anxiety and distress as a result,” said Elizabeth Denham, information commissioner, adding that the fine was the ICO’s biggest to date. “When organisations take poor decisions around people’s personal data, that can have a real impact on people’s lives. The law now gives us the tools to encourage businesses to make better decisions about data, including investing in up-to-date security.” The IAG International Airlines Group-owned carrier responded in its own statement: “We alerted customers as soon as we became aware of the criminal attack on our systems in 2018 and are sorry we fell short of our customers’ expectations. We are pleased the ICO recognises that we have made considerable improvements to the security of our systems since the attack and that we fully cooperated with its investigation.” However, the penalty was considerably less than the GBP183.4 million (USD238.7 million) the ICO proposed last year, which the regulator explained was in part due to the crisis the airline industry is currently facing.