BA fine for losing customers' credit card details dropped by £163m

Daniel Fowler
October 18, 2020

The Information Commissioner's Office (ICO) has fined British Airways (BA) £20m for failing to protect the personal and financial details of its customers.

The ICO said the investigation found the airline was "processing a significant amount of personal data without adequate security measures", breaking data protection law.

"It shows the ICO means business and is not letting struggling companies off the hook for their data protection failures", he said.

The ICO investigators found that BA should have identified that weaknesses over security that enabled the hack to happen.

The British Airways airline is being fined £ 20 million (close to R $ 145 million) for being the target of a massive data leak that affected thousands of consumers.

Because the BA breach happened in June 2018, before the United Kingdom left the European Union, the ICO investigated on behalf of all European Union authorities as lead supervisory authority under the GDPR.

The ICO estimates almost 430,000 British Airways' customers and staff were potentially affected by the breach, with 244,000 possibly having their names, addresses, payment card numbers and CVVs compromised.

Multiple people with the Indianapolis Colts test positive for COVID-19
Williams, who won't play Sunday, did not test positive but had close contact with someone who did, according to the NFL Network. The Panthers have guard/center Tyler Larsen on the reserve/COVID-19 list, five days after he played against Atlanta.

"Usernames and passwords of BA employee and administrator accounts as well as usernames and PINs of up to 612 BA Executive Club accounts were also potentially accessed", the regulator said.

BA was informed of the issue by a third party and notified the ICO on September 6, 2018.

'When organisations take poor decisions around people's personal data, that can have a real impact on people's lives'. The law now gives us tools that encourage more efficient decision-making when it comes to data, including investments in up-to-date security technologies, "commented Elizabeth Denman, an ICO member".

"We alerted clients as quickly as we grew to become conscious of the felony assault on our programs in 2018 and are sorry we fell wanting our clients' expectations", British Airways mentioned in an announcement Friday.

The ICO said that BA had failed to implement sufficient security around the data, even though measures that could have prevented the hack such as multi-factor authentication were built into the operating system, and also failed to adequately test its systems.

Immediately after British Airways announced the breach in 2018, security firm RiskIQ reported it was likely a Magecart-style attack, which involves placing a JavaScript skimmer in the target's e-commerce checkout system to scrape customer payment data as it's entered (see: RiskIQ: British Airways Breach Ties to Cybercrime Group).

Several other management changes were made today with Mr Gallego seemingly wanting to draw a line under Mr Cruz's hard tenure, which saw him oversee BA's first strike, a massive data breach and controversial job losses in the wake of the coronavirus pandemic.

Other reports by

Discuss This Article

FOLLOW OUR NEWSPAPER