A £20 million fine has been imposed on British Airways for a data breach which affected more than 400,000 customers.
The fine by the Information Commissioner’s Office (ICO) is considerably smaller than the £183 million that the ICO originally said it intended to issue in June 2019.
It said “the economic impact of Covid-19” had been taken into account.
However, it is still the largest penalty issued by the ICO to date.
An ICO probe found the airline was processing a “significant amount of personal data” without adequate security measures in place.
“This failure broke data protection law and, subsequently, BA was the subject of a cyber-attack during 2018, which it did not detect for more than two months,” the ICO said.
BA has made “considerable improvements” to its IT security since the attack.
Investigators found BA ought to have identified weaknesses in its security and resolved them with security measures that were available at the time.
Addressing these security issues would have prevented the 2018 cyber-attack being carried out in this way, investigators concluded.
The attacker is believed to have potentially accessed the personal data of approximately 429,612 customers and staff. This included names, addresses, payment card numbers and CVV numbers of 244,000 BA customers.
Other details thought to have been accessed include the combined card and CVV numbers of 77,000 customers and card numbers only for 108,000 customers.
Usernames and passwords of BA employee and administrator accounts as well as usernames and PINs of up to 612 BA Executive Club accounts were also potentially accessed, according to the ICO.
The incident took place when BA customers were re-directed to a fraudulent site but it was two months before BA was made aware of it by a security researcher, and notified the ICO.
The data stolen included log in, payment card, and travel booking details as well name and address information.
A subsequent investigation concluded that sufficient security measures, such as multi-factor authentication, were not in place at the time.
As part of the regulatory process the ICO considered both representations from BA and the economic impact of Covid-19 on their business before setting a final penalty, according to the ruling.
The ICO said its investigators found that BA did not detect the attack on June 22, 2018 but was alerted by a third party more than two months afterwards on September 5.
BA then acted promptly and notified the ICO.
“It is not clear whether or when BA would have identified the attack themselves,” the ICO said.
“This was considered to be a severe failing because of the number of people affected and because any potential financial harm could have been more significant.”
Information commissioner Elizabeth Denham said: “People entrusted their personal details to BA and BA failed to take adequate measures to keep those details secure.
“Their failure to act was unacceptable and affected hundreds of thousands of people, which may have caused some anxiety and distress as a result. That’s why we have issued BA with a £20m fine – our biggest to date.
“When organisations take poor decisions around people’s personal data, that can have a real impact on people’s lives. The law now gives us the tools to encourage businesses to make better decisions about data, including investing in up-to-date security.”
BA said: “We are pleased the ICO recognises that we have made considerable improvements to the security of our systems since the attack and that we fully co-operated with its investigation.”