MSE News

British Airways fined £20m for data breach that affected more than 400,000 customers

British Airways fined £20m for data breach that affected more than 400,000 customers

The information watchdog has fined British Airways £20 million for failing to protect the personal and financial details of some of its customers during a data breach in 2018.

Investigators found that BA should have fixed weaknesses in its security measures, which would have prevented the 2018 cyber-attack – covered in our British Airways data breach MSE News story – taking place in the way it did.

They also found that BA didn't detect the attack themselves, and only became aware of it when they were alerted by a third party more than two months after it had taken place. 

The Information Commissioner's Office (ICO) announced in July last year that BA could be fined more than £183 million. This is more than nine times the £20 million the airline was eventually fined.

See our 30+ Ways to Stop Scams guide for information on keeping your data safe.

What details were taken and what should I do if I was a victim of the breach?

The attacker in the hack is believed to have potentially accessed the personal data of approximately 429,612 customers and staff.

This included the names, addresses, payment card numbers and the three digits on the back of cards of 77,000 customers, and card numbers only for 108,000 customers.

Usernames and passwords of BA's employee and administrator accounts, as well as the usernames and PINs of up to 612 of the airline's Executive Club accounts, were also potentially accessed.

You can find more details in our British Airways data breach story, including tips for those affected by the hack – though as it was now over two years ago, much of the guidance will be moot.

You can see our general guidance in the 30+ Ways to Stop Scams guide.

What does the Information Commissioner say?

Information Commissioner Elizabeth Denham said: "People entrusted their personal details to BA, and BA failed to take adequate measures to keep those details secure.

"Their failure to act was unacceptable and affected hundreds of thousands of people, which may have caused some anxiety and distress as a result. That's why we have issued BA with a £20 million fine – our biggest to date.

"When organisations take poor decisions around people's personal data, that can have a real impact on people's lives. The law now gives us the tools to encourage businesses to make better decisions about data, including investing in up-to-date security."

What does BA say?

A British Airways spokesperson said: "We alerted customers as soon as we became aware of the criminal attack on our systems in 2018 and are sorry we fell short of our customers' expectations.

"We are pleased the ICO recognises that we have made considerable improvements to the security of our systems since the attack and that we fully co-operated with its investigation."