BA fined £20m by UK watchdog for failing to protect the data of millions of its passengers

BRITISH airline BA has been fined £20m for failing to protect data that left more than 400,000 of its customers vulnerable to cyber attack in 2018 when hackers successfully accessed the carrier's hard drive.

According to the UK Information Commissioner’s Office (ICO), its investigators found BA should have identified weaknesses in its security and resolved them with measures available at the time, which would have prevented the data breach. This fine is the biggest such penalty to be imposed by the data protection watchdog till date.

An ICO spokesman said: “Their failure to act was unacceptable and affected hundreds of thousands of people, which may have caused some anxiety and distress as a result.”  BA, however, said that it had alerted customers as soon as it became aware of the attack.

Fortunately for BA, the penalty was considerably less than the £183.4m the ICO proposed last year, in part reflecting the crisis the airline industry is now facing due to Covid-19 pandemic.  Shares in BA’s Anglo-Spanish parent IAG slid to session lows following the ruling, with the company announcing that it was replacing BA’s chief executive Alex Cruz with Aer Lingus boss Sean Doyle with immediate effect.

Announcing the penalty, the regulator said its investigators found that BA did not detect the attack on June 22, 2018 but was alerted by a third party more than two months later, on September 5. However, the ICO added that it was not clear whether or when the company would have identified the attack itself.

An ICO spokesman added: “This was considered to be a severe failing because of the number of people affected and because any potential financial harm could have been more significant.”  Explaining why the final penalty was substantially lower than first suggested, the regulator said it considered representations from BA and the economic impact of the coronavirus pandemic, which has upended the travel industry.

“We are pleased the ICO recognises that we have made considerable improvements to the security of our systems since the attack and that we fully co-operated with its investigation,” the BA spokesman added.

Other major cyber incidents in the recent past include another London-listed airline, easyJet, which earlier this year said hackers had accessed the email and travel details of around 9m customers. Also, US hotel operator Marriott International in March suffered its second data incident in less than two years, with information of about 5.2m hotel guests suffering a breach.