British Airways has been fined £20million by the data watchdog after the personal and financial details of more than 400,000 customers were accessed by hackers in a 2018 data breach.
The Information Commissioner’s Office (ICO) dished out the biggest ever fine in its history after it found that the beleaguered airline should have identified the security weaknesses which enabled the attack to take place.
It said the carrier, which is in the throes of an existential crisis after coronavirus decimated demand for air travel, was processing a significant amount of personal data without adequate security measures in place.
The watchdog said this failure broke data protection law and caused BA to be subjected to a cyber-attack in 2018, which it did not detect for more than two months.
Addressing these security issues would have prevented the hack being carried out in this way, investigators concluded.
In a statement released today, the ICO concluded: ‘It is not clear whether or when BA would have identified the attack themselves.
‘This was considered to be a severe failing because of the number of people affected and because any potential financial harm could have been more significant.’
Information Commissioner Elizabeth Denham said: ‘People entrusted their personal details to BA and BA failed to take adequate measures to keep those details secure.
‘Their failure to act was unacceptable and affected hundreds of thousands of people, which may have caused some anxiety and distress as a result. That’s why we have issued BA with a £20m fine – our biggest to date.
British Airways has been fined £20million by the data watchdog after the details of more than 400,000 customers were accessed by hackers in a 2018 data breach (stock photo)
The Information Commissioner’s Office (ICO) dished out the biggest ever fine in its history after it found that the beleaguered airline should have identified the security weaknesses which enabled the attack to take place. It said the carrier, which is in the throes of an existential crisis after the coronavirus pandemic decimated demand for travel, was processing a significant amount of personal data without adequate security measures in place
‘When organisations take poor decisions around people’s personal data, that can have a real impact on people’s lives. The law now gives us the tools to encourage businesses to make better decisions about data, including investing in up-to-date security.’
BA announced in July last year that the ICO was proposing to issue a fine of more than £183million, more than nine times the £20million the airline has eventually been fined.
The ICO said it considered ‘representations from BA and the economic impact of Covid-19 on their business’ before setting the final penalty.
Still, shares in BA’s Anglo-Spanish parent IAG slid to session lows following the announcement. By 9.20am, they were three per cent lower.
Because the BA breach happened in June 2018, before the UK left the EU, the ICO investigated on behalf of all EU authorities as lead supervisory authority under the GDPR. The penalty and action have been approved by the other EU DPAs through the GDPR’s cooperation process.
Cyber hacks on airlines increased 15,000 per cent in 2017-18
Attacks against passenger airlines increased by over 15,000 per cent between 2017 and 2018, according to research done by Netscout.
Hardik Modi, Netscout’s senior director for threat intelligence, says this could be because airlines are easy targets.
‘Cybercriminals have traditionally concentrated attacks on internet service providers, telecoms and cable operators. While those categories still represent prime targets, they are now relatively well-protected,’ Modi said.
In September 2018, British Airways suffered a cyber attack on its systems. Personal details, including payment data and addresses, were compromised by the hack, according to the ICO’s findings.
Last October, the High Court ruled that 500,000 BA customers affected could sue BA over the data breach.
In May 2018, Cathay Pacific Airways was hit by a ‘brute force’ attack with numerous passwords submitted in the hope of guessing correctly. Hackers stole passport numbers, emails and dates of birth from 9.4 million passengers including 111,000 Britons.
Last March, Cathay Pacific was today hit by a £500,000 fine by the ICO for the massive data breach.
In June 2019 the ICO issued BA with a notice of intent to fine. As part of the regulatory process the ICO considered both representations from BA and the economic impact of COVID-19 on their business before setting a final penalty.
A spokesperson for BA said: ‘We alerted customers as soon as we became aware of the criminal attack on our systems in 2018 and are sorry we fell short of our customers’ expectations.
‘We are pleased the ICO recognises that we have made considerable improvements to the security of our systems since the attack and that we fully co-operated with its investigation.’
The attacker is believed to have potentially accessed the personal data of around 429,612 customers and staff. This included names, addresses, payment card numbers and CVV numbers of 244,000 BA customers.
Other details thought to have been accessed include the combined card and CVV numbers of 77,000 customers and card numbers only for 108,000 customers.
Usernames and passwords of BA employee and administrator accounts as well as usernames and PINs of up to 612 BA Executive Club accounts were also potentially accessed.
ICO investigators found that BA did not detect the attack on June 22, 2018 themselves but were alerted by a third party more than two months afterwards on September 5.
Once they became aware BA acted promptly and notified the data watchdog.
The ICO said there were numerous measures BA could have used to mitigate or prevent the risk of an attacker accessing the network.
These include limiting access to applications, data and tools to only that which are required to fulfil a user’s role, undertaking rigorous testing, in the form of simulating a cyber-attack, on the business’ systems, and protecting employee and third party accounts with multi-factor authentication.
It said in a statement: ‘None of these measures would have entailed excessive cost or technical barriers, with some available through the Microsoft Operating System used by BA.’
Rachel Aldighieri, MD of the Data & Marketing Association, said: ‘This is the largest fine issued by the ICO to date under the new GDPR laws, highlighting the importance all businesses should place on the security of customers’ data and the need to build in safeguards to protect it.
‘Brexit and coronavirus have put businesses under immense financial strain and a fine of this magnitude will get the attention of Board members of organisations across the UK. They will certainly not want to risk receiving similar disciplinary action from the ICO.’
British Airways chief executive Alex Cruz (left) is to leave his role, the airline’s parent company has confirmed. He will be replaced by Aer Lingus chief executive Sean Doyle (right)
It comes as BA boss Alex Cruz is to be replaced by Aer Lingus chief executive Sean Doyle but will stay on as non-executive chairman for a transition period before his successor takes on the role.
Mystery surrounds the sudden departure of Mr Cruz, who less than a month ago faced MPs to defend the airline’s actions during the pandemic.
However, experts have now claimed that the decision is an example of Mr Gallego, who took over as CEO of BA parent company IAG last month, trying to stamp his authority on the airline.
Several other management changes were made today with Mr Gallego seemingly wanting to draw a line under Mr Cruz’s difficult tenure, which saw him oversee BA’s first strike, a massive data breach and controversial job losses in the wake of the coronavirus pandemic.
Mr Gallego is hoping to spearhead a recovery for the airline and is thought to have wanted a new face at the helm of BA, with Mr Cruz’s relationship with workers, unions and politicians growing increasingly fractious.
In April, BA announced plans to cut up to 10,000 jobs, 30 per cent of its global workforce. The airline was accused of threatening a ‘fire and rehire’ scheme which saw some employees facing pay cuts of up to 50 per cent.