The Information Commissioner’s Office (ICO) has fined British Airways (BA) £20milllion after the airline failed to adequately protect over 400,000 of its customers’ personal and financial details following a cyber-attack in 22 June 2018. The data
breach went unnoticed for more than two months until BA were notified by a third party on the 5 September 2018.
Despite the fine being initially set at £183million, the ICO concluded that:
- BA did not gain any financial benefit, or avoid any losses, as a result of the breach;
- The data breach was serious in terms of nature and duration;
- Although the infringement was not intentional, BA was responsible for the infringements found by ICO investigators;
- BA fully cooperated with the investigation and the ICO Commissioner had taken into consideration when calculating an appropriate fine;
- Despite personal data being disseminated, no “special category” data such as racial origin, political opinions and religious beliefs and so forth was not affected; and
- BA acted promptly when notifying the ICO.
For these reasons, the ICO saw fit to reduce the fine to £20m.
To review ICO’s penalty notice, click on the link below:
For further information, please email [email protected]