British Airways Fined GBP 20 Million for Personal Data Breach of More Than 400.000 Persons |

Managing Partner

The UK Information Commissioner Office (ICO) has recently published that it fined carrier British Airways GBP 20 million for failure to protect personal data of its customers that were compromised during a cyber incident in 2018.

The ICO established through investigation that British Airways failed to apply relevant protective measures that it had at disposal in order to prevent the abuse of its customers’ personal data.

Namely, in June 2018 the air carrier’s website was a target of cyber-attack that implied user traffic to the British Airways website (www.britishairwyas.com) being diverted to a fraudulent site (www.BAirways) by the hackers. On this website, the visitors entered their personal data, including financial data (number of payment cards and CVV code), required for booking and purchasing air tickets, which were thus harvested by hackers.

In addition to customer data, the ICO also established that a large number of usernames and passwords of the British Airways employees was also compromised.

The position of the British Airways was additionally aggravated by the fact that this security omission and attack were not identified by the company itself but by a third person and that two and a half months later.

The ICO stated that there were few measures that the company could apply in order to mitigate or avoid the risk from unauthorised access to its network, such as restricting the access to its applications according to user roles, undertaking rigorous tests in terms of simulating cyber-attacks and protection of employees’ and users’ accounts by multifactor authentication. According to the ICO, none of these measures required high cost or technical facility, and some of them were available through the operative system already used by the British Airways.

The initial ICO intention was to impose a fine amounting to GBP 183,39 million, but the fine was subsequently reduced to GBP 20 million due to additional facts established during the investigation, the measures undertaken by the British Airways and due to the consequences of COVID-19 pandemic on the air industry.

Regardless of the decrease, the imposed fine is still the highest fine imposed by the ICO so far.

This article is to be considered as exclusively informative, with no intention to provide legal advice.
If you should need additional information, please contact us directly.

Cookie	Duration	Description
_mcnc	1 day	This cookie is necessary for the cache function. A cache is used by the web site to optimize the response time between the visitor and the web site. The cache is usually stored on the visitor’s browser.
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.

Cookie	Duration	Description
_ga	2 years	This cookie is used to distinguish unique users by assigning a randomly generated number as a client identifier. It is included in each page request in a site and used to calculate visitor, session and campaign data for the sites analytics reports.
_ga_ZNX0WR1V2Z	2 years	This cookie is used to distinguish unique users by assigning a randomly generated number as a client identifier. It is included in each page request in a site and used to calculate visitor, session and campaign data for the sites analytics reports.

British Airways Fined GBP 20 Million for Personal Data Breach of More Than 400.000 Persons

Contact info