British Airways has been fined £20m ( (26m) by the Information Commissioner’s Office (ICO) for a data breach in 2018 which affected over 400, 000 customers both personal and credit cards. The fine is considerably smaller than the £183m that the ICO originally said it intended to issue back in 2019. The incident took place when BA’s systems were compromised by its attackers, and then modified to harvest customers’ details as they were input.
It took two months for BA to become aware of it by a security researcher and then notified the ICO. The data stolen included log-in, payment card, and travel booking details as well as the name and address information. The investigation concluded insufficient security measures such as multi-factor authentication were not in place although some of these measures were available on the Microsoft operating system that BA was using at the time.
Elizabeth Denman the Information Commissioner said: ”When organisations take poor decisions around people’s personal data, that can have a real impact on people’s lives. The law now gives us the tools to encourage businesses to make a better decisions about data, including investing in up-to-date security.”