British Airways fined $36.5m for major data breach


By Dylan Bushell-Embling
Tuesday, 20 October, 2020

British Airways fined $36.5m for major data breach

The UK Information Commissioners' Office (ICO) has fined British Airways a record £20 million ($36.5 million) for a data breach in 2018 which exposed the personal and financial details of more than 400,000 of its customers.

An investigation into the breach found that the airline was processing a significant amount of personal data without adequate security measures in place.

This failure resulted in the 2018 cyber attack which the airline failed to detect for more than two months, the ICO said.

This breach involved names, addresses, payment card numbers and CVV numbers of 244,000 BA customers. The attackers are also believed to have accessed the combined card and CVV numbers of 77,000 customers and card numbers only for 108,000 customers, as well as usernames and passwords of BA employee and administrator accounts.

The investigation found that BA should have identified weaknesses in its security and resolved them with security measures that were widely available even at the time. This could have prevented the breach, according to Information Commissioner Elizabeth Denham.

“People entrusted their personal details to BA and BA failed to take adequate measures to keep those details secure,” she said.

“Their failure to act was unacceptable and affected hundreds of thousands of people, which may have caused some anxiety and distress as a result. That’s why we have issued BA with a £20m fine — our biggest to date.”

Preventive measures BA could have taken but did not include limiting access to applications, data and tools to only that which are required to fulfil a user’s role; undertaking rigorous testing, in the form of simulating a cyber attack, on the business’s systems; and protecting employee and third-party accounts with multi-factor authentication.

Because the BA breach happened prior to Brexit the ICO investigated on behalf of all EU authorities as lead supervisory authority under the GDPR.

The size of the final penalty took into account representations from BA and the economic impact of COVID-19.

Image credit: ©stock.adobe.com/au/T^i^

Related Articles

Secure-by-design software development for digital innovation

The rise of DevSecOps methodologies and developments in AI offers every business the opportunity...

Bolstering AI-powered cybersecurity in the face of increasing threats

The escalation of complex cyber risks is becoming a pressing issue for those in business...

How attackers are weaponising GenAI through data poisoning and manipulation

The possibility for shared large language models to be manipulated through data poisoning...

Content from other channels on our network

Cobalt Iron nabs EU patents for security techniques

SA Water revamping spend management platform

New online resource to support employment of ex-service people

Good evidence confuses ChatGPT when used for health information: study

World-first 'Cybercrime Index' ranks countries by threat level

Four-terminal tandem organic solar cell achieves 16.94% PCE

Handheld sensor enables rapid detection of multiple bacteria

Device gathers, stores electricity in remote settings

Scientists unveil novel material for magnesium batteries

Tuneable coloured films for displays and sensors

What Australia thinks about the energy transition

Call for improved train lighting to save lives

Foiling hackers in the smart home era

New CEO for Master Electricians Australia

Smart mobility in Helsinki

  • All content Copyright © 2024 Westwick-Farrow Pty Ltd