British Airways B777-300ER (G-STBF). Photo: Kentaro Iemoto

MIAMI – British Airways (BA) has been fined £20m (US$26m) by the UK Information Commissioner’s Office (ICO) over a data breach that affected over 400,000 customers, as reported by the BBC today.

The fine was smaller than the £183m that ICO was intending to levy in 2019 when the investigation started. Still, it is the largest fine ever issued by the British office, which considered the current COVID-19 situation.

The breach occurred in 2018 and involved credit card and personal data, as well as log in, travel information, and customer addresses.

According to the report, “the incident took place when BA’s systems were compromised by its attackers, and then modified to harvest customers’ details as they were input,” adding that “it was two months before BA was made aware of it by a security researcher, and then notified the ICO.”

British Airways Boeing 777-200ER G-VIIP. Photo: Aaron Davis

Insufficient Security Measures

An investigation made after the breach concluded, per the report, that “sufficient security measures, such as multi-factor authentication, were not in place at the time,” and that “some of these measures were available on the Microsoft operating system that BA was using at the time.”

On that matter, Information Commissioner Elizabeth Denman told the BBC that “when organizations take poor decisions around people’s personal data, that can have a real impact on people’s lives.”

Denman also added that “the law now gives us the tools to encourage businesses to make better decisions about data, including investing in up-to-date security.” On its part, BA said it alerted its customers as soon as it learned about the breach.

“We are pleased the ICO recognizes that we have made considerable improvements to the security of our systems since the attack and that we fully co-operated with its investigation,” a BA spokesperson told the BBC.

Featured image: British Airways B777-300ER (G-STBF). Photo: Kentaro Iemoto