British Airways fined $36.5m for major data breach


By Dylan Bushell-Embling
Tuesday, 20 October, 2020



British Airways fined $36.5m for major data breach

The UK Information Commissioners' Office (ICO) has fined British Airways a record £20 million ($36.5 million) for a data breach in 2018 which exposed the personal and financial details of more than 400,000 of its customers.

An investigation into the breach found that the airline was processing a significant amount of personal data without adequate security measures in place.

This failure resulted in the 2018 cyber attack which the airline failed to detect for more than two months, the ICO said.

This breach involved names, addresses, payment card numbers and CVV numbers of 244,000 BA customers. The attackers are also believed to have accessed the combined card and CVV numbers of 77,000 customers and card numbers only for 108,000 customers, as well as usernames and passwords of BA employee and administrator accounts.

The investigation found that BA should have identified weaknesses in its security and resolved them with security measures that were widely available even at the time. This could have prevented the breach, according to Information Commissioner Elizabeth Denham.

“People entrusted their personal details to BA and BA failed to take adequate measures to keep those details secure,” she said.

“Their failure to act was unacceptable and affected hundreds of thousands of people, which may have caused some anxiety and distress as a result. That’s why we have issued BA with a £20m fine — our biggest to date.”

Preventive measures BA could have taken but did not include limiting access to applications, data and tools to only that which are required to fulfil a user’s role; undertaking rigorous testing, in the form of simulating a cyber attack, on the business’s systems; and protecting employee and third-party accounts with multi-factor authentication.

Because the BA breach happened prior to Brexit the ICO investigated on behalf of all EU authorities as lead supervisory authority under the GDPR.

The size of the final penalty took into account representations from BA and the economic impact of COVID-19.

Image credit: ©stock.adobe.com/au/T^i^

Related Articles

Australian cybersecurity market worth $5.6bn in 2020

Australian spending on cybersecurity reached $5.6bn this year, with more than half of spending...

Govt releases critical infrastructure exposure draft

Australian critical infrastructure providers would have to comply with new security obligations...

Communications cybersecurity to be top of agenda at CCV

Leading experts from the NSW Government, NIST and the private sector will spearhead the...


  • All content Copyright © 2020 Westwick-Farrow Pty Ltd