BA Data Breach Fine Reduced: ICO Lowers Penalty to £20m

A significant data security incident in U.K. corporate history has concluded with a reduced penalty for British Airways. The Information Commissioner’s Office (ICO), the U.K.’s independent authority upholding information rights, has announced a £20 million ($25.8 million) fine for the airline following a data breach that exposed the personal information of over 400,000 customers. This occurred after a two-month cyberattack where British Airways demonstrated insufficient security measures to identify and counter the threat. Initially, the ICO intended to impose a much larger fine of approximately £184 million, but this was lessened due to the financial difficulties BA, along with other airlines, has experienced because of COVID-19, as well as improvements BA made to its security and further insights gained during the investigation.

Despite the reduction in the penalty amount, the ICO maintains its initial assessment:

“Individuals placed their trust in British Airways to safeguard their personal data, and the airline did not implement appropriate safeguards to protect it,” stated Information Commissioner Elizabeth Denham. “This lack of action was unacceptable and affected a substantial number of people, potentially causing worry and distress. Consequently, we have issued British Airways with a £20 million fine – the largest to date. When organizations fail to prioritize the security of personal data, it can have serious consequences for individuals. Legislation now provides us with the authority to encourage businesses to make informed decisions regarding data protection, including investing in modern security infrastructure.”

British Airways issued a response acknowledging the investigation and the revised penalty.

“We promptly informed customers once we became aware of the malicious attack on our systems in 2018 and apologize for not meeting their expectations,” a spokesperson communicated to TechCrunch. “We are pleased the ICO acknowledges the significant enhancements we have made to the security of our systems since the incident and our full cooperation throughout the investigation.”

Approximately £150 million of the original fine was reduced as the ICO reevaluated the events leading to the attack, assigning less responsibility to British Airways than initially believed; an additional £6 million was discounted based on the airline’s response to the breach, and a further £4 million was removed in consideration of the ICO’s COVID-19 policy, recognizing the pandemic’s impact on BA’s financial standing.

This adjustment highlights the influence of the coronavirus pandemic on regulatory practices. In certain instances, regulators have expedited their response to issues impacting business growth and even relaxed some prior concerns to facilitate activities, as seen with the approval of e-scooters.

However, in the case of the British Airways fine, regulators have adopted a more lenient approach to financial penalties given the company’s existing financial challenges. This shift could influence future regulatory responses to security and data protection failures.

The initial proposed fine of £184 million represented 1.5% of British Airways’ 2018 revenue and was established in 2019. This was before the onset of the coronavirus pandemic, which severely disrupted global travel and placed significant strain on the airline industry. The original decision was also subject to standard regulatory procedures, which ultimately benefited British Airways by allowing for consideration of arguments from the airline and an assessment of its current market position.

“In June 2019 the ICO issued BA with a notice of intent to fine,” the ICO explained in its statement regarding the reduced fine. “As part of the regulatory process the ICO considered both representations from BA and the economic impact of COVID-19 on their business before setting a final penalty.”

Despite the lowered fine, the core findings of the investigation remained consistent: the ICO determined that British Airways had “security vulnerabilities” that could have been prevented by utilizing security systems – both procedures and software – that were readily available at the time.

Consequently, data belonging to 429,612 customers and staff members was compromised, including “names, addresses, payment card numbers and CVV numbers of 244,000 BA customers,” according to the ICO. The breach also involved the combined card and CVV numbers of 77,000 customers, card numbers alone for 108,000 customers, usernames and passwords for BA employee and administrator accounts, and usernames and PINs for up to 612 BA Executive Club accounts (the accuracy of the latter two was not fully confirmed).

Furthermore, British Airways did not independently detect the attack; they were alerted to the breach by a third party.

The ICO confirmed that its actions have been endorsed by other Data Protection Authorities (DPAs) within the European Union, as the attack occurred while the U.K. was still a member of the EU, and the investigation was conducted by the ICO on behalf of EU authorities.

British Airways, which is part of International Airlines Group – encompassing Iberia, Aer Lingus, Vueling, and other brands – has been actively reinvesting in the security of its systems. The airline also offered “affected customers” 12 months of membership to a credit check/management service.

Recent years have seen a rise in data breaches within the travel and hospitality sectors, impacting not only other airlines (such as easyJet, affecting 9 million records this past May, and Cathay Pacific, fined £500,000 earlier this year for a breach impacting 9.5 million customers globally, with around 111,000 in the U.K.) but also hotels, with a significant Marriott phishing attack estimated to have affected approximately 500 million individuals.

Updated with additional details regarding the fine and commentary from BA.