ICO fined British Airways £20m for data breach

The Information Commissioner’s Office (ICO) has fined British Airways (BA) £20m for failing to protect the personal and financial details of more than 400,000 of its customers.

Background of the data breach

The attacker is believed to have potentially accessed the personal data of approximately 429,612 customers and staff. This included names, addresses, payment card numbers and CVV numbers of 244,000 BA customers.

Other details thought to have been accessed include the combined card and CVV numbers of 77,000 customers and card numbers only for 108,000 customers.

Usernames and passwords of BA employee and administrator accounts as well as usernames and PINs of up to 612 BA Executive Club accounts were also potentially accessed.

Failure to prevent the attack

There were numerous measures BA could have used to mitigate or prevent the risk of an attacker being able to access the BA network. These include:

    • limiting access to applications, data and tools to only that which are required to fulfil a user’s role
    • undertaking rigorous testing, in the form of simulating a cyber-attack, on the business’ systems;
    • protecting employee and third-party accounts with multi-factor authentication.

Lack of awareness of the attack

ICO investigators found that BA did not detect the attack on 22 June 2018 themselves but were alerted by a third party more than two months afterwards on 5 September. Once they became aware BA acted promptly and notified the ICO.

The press release can be accessed here and the penalty notice here.

Photo by Andrea Piacquadio from Pexels.