Skip to main contentSkip to navigationSkip to navigation
Print subscriptions
Sign in
Search jobs
Search
The Guardian - Back to homeThe Guardian
The email sent to BA customers after the data breach in 2018.
The email sent to BA customers after the data breach in 2018. Photograph: Gareth Fuller/PA
The email sent to BA customers after the data breach in 2018. Photograph: Gareth Fuller/PA

BA fined record £20m for customer data breach

This article is more than 3 years old

Personal details of more than 400,000 customers accessed by hackers in 2018

A £183m fine levied on British Airways for a data breach has been reduced to £20m after investigators took into account the airline’s financial plight and the circumstances of the cyber-attack.

The £20m fine is nonetheless the biggest ever issued by the Information Commissioner’s Office (ICO), following the 2018 incident in which more than 400,000 customers’ personal details were compromised by hackers.

The initial £183m fine announced last year was reduced after investigators accepted BA’s representations about the attack and also noted the dire financial position of BA since the onset of Covid-19.

Investigators found BA had failed to put sufficient security measures in place to protect its customers’ details. The airline took more than two months to detect the cyber-attack, which started in June 2018.

The information commissioner, Elizabeth Denham, said BA failed to take adequate measures to keep customers’ personal details secure.

“Their failure to act was unacceptable and affected hundreds of thousands of people, which may have caused some anxiety and distress as a result. That’s why we have issued BA with a £20m fine – our biggest to date,” she said.

“When organisations take poor decisions around people’s personal data, that can have a real impact on people’s lives.”

The BA case was the first major one to be carried out under toughened data laws that allow for far heavier fines as a proportion of a company’s turnover than had previously been the case.

Sign up to the daily Business Today email or follow Guardian Business on Twitter at @BusinessDesk

The ICO found BA ought to have identified weaknesses in its security, and could have resolved them with security measures available at the time. Of the approximately 430,000 customers and staff affected by the breach, about 244,000 people had their full name, addresses and payment card details, including the CVV security number, exposed.

A BA spokesman said: “We alerted customers as soon as we became aware of the criminal attack on our systems in 2018 and are sorry we fell short of our customers’ expectations.

“We are pleased the ICO recognises that we have made considerable improvements to the security of our systems since the attack and that we fully cooperated with its investigation.”

Explore more on these topics
Share
Reuse this content

More on this story

More on this story

  • British Airways to offer free in-flight use of messaging apps

  • British Airways owner’s annual profits soar to £2.3bn on leisure boom

  • Strong demand drives profits record at British Airways owner IAG

  • British Airways workers to get 13% pay rise after Covid cutbacks

  • British Airways owner announces record profits for first half of 2023

  • US fines British Airways $1.1m for ‘failing to refund’ Covid cancellations

  • BA flight chaos at Heathrow airport ahead of bank holiday weekend

  • BA owner raises profit forecast as travel demand rebounds

  • BA owner ‘worried’ over Heathrow’s readiness for summer

  • British Airways and Virgin to fly daily from UK to China again

Most viewed

Most viewed