British Airways fined £20 million
Today it has been reported that British Airways has been fined £20 million by the Information Commissioner’s Office (ICO) for the data breach in which hundreds of thousands of customers personal information was compromised.
The BA data breach, which took place in 2018, affected over 400,000 customers, and the information that was stolen included their personal data and card payment details.
Despite this being the largest penalty the ICO has issued to date, it is considerably smaller than the £183 million that the ICO originally said it intended to fine British Airways back in 2019. The ICO said “representations from BA and the economic impact of Covid-19” had been taken into account before setting a final penalty.
This announcement comes after the company’s chief executive told MPs in September that the business was “fighting for its survival” as a consequence of the coronavirus pandemic.
The information commissioner, Elizabeth Denham, when announcing the £20 million fine, described British Airways “failure to act” as “unacceptable” and said the fine was the biggest it had ever issued despite the £163m reprieve.
“When organisations take poor decisions around people’s personal data, that can have a real impact on people’s lives. The law now gives us the tools to encourage businesses to make better decisions about data, including investing in up-to-date security.”
This was the commissioners first fine under the EU data regulation GDPR, so is a potential landmark decision. This final figure may come as a shock to many who were expecting it to be closer to the £183 million initially proposed, however, it is still a significant amount and other companies will see this fine as a shape of things to come if they too fail to protect customers data.
Data protection officer Carl Gottlieb said that in the current climate, £20 million was a “massive” fine.
“It shows the ICO means business and is not letting struggling companies off the hook for their data protection failures,” he said. In a post-coronavirus world, the ICO may be a lot harsher.
A spokesperson for British Airways said, “We are pleased the ICO recognises that we have made considerable improvements to the security of our systems since the attack and that we fully co-operated with its investigation.”
The British Airways data breach
It was announced in September 2018 that British Airways security systems had been breached by hackers who had potentially accessed the personal data of approximately 429,612 customers. This included names, addresses, payment card numbers, and CVV numbers of 244,000 BA customers. Usernames and passwords of BA employees and administrator accounts, as well as usernames and PINs of up to 612 BA Executive Club accounts, were also potentially accessed, said the ICO.
It was two months before BA was made aware of the breach by a security researcher and then notified the ICO. It was not clear whether or when BA would have identified the attack themselves and was considered a severe failing because of the huge number of people affected and the potential financial harm to these people.
The ICO said there were several measures BA could have used to mitigate or prevent the risk of an attacker being able to access this data, including limiting access to applications, data and tools to only that which are required to fulfil a user’s role, undertaking rigorous testing, and using multi-factor authentication. The ICO found none of these measures would have entailed excessive cost or caused technical issues, with some even available through the Microsoft Operating System used by BA.
“Their failure to act was unacceptable and affected hundreds of thousands of people, which may have caused some anxiety and distress as a result,” the ICO said of a cyber-attack.
Making a British Airways data breach claim
If you have been affected by the British Airways data breach, you could be entitled to claim compensation up to £6000. A High Court hearing stated the final cut-off date to join group litigation to claim compensation from British Airways for the data breach is the 17th April 2021, so you should act now before its too late.
HNK Solicitors have a team of expert data protection claim solicitors who can help you claim the compensation you deserve. You can claim for financial losses from the breach as well as for distress caused. In cases where psychological injury is extreme, compensation could be as high at £16,000. HNK Solicitors are currently representing clients in an ongoing group litigation case against British Airways, and we may be able to take on your case on a no-win, no-fee agreement.