The UK’s data watchdog has fined British Airways (BA) a record £20 million for failing to protect the personal and financial details of more than 400,000 of its customers from a cyber-attack in 2018.

An investigation by the Information Commissioner’s Office (ICO) found that the airline was processing a significant amount of personal data without adequate security measures in place.

“This failure broke data protection law and, subsequently, BA was the subject of a cyber-attack during 2018, which it did not detect for more than two months,” the ICO said in a statement.

Security weaknesses

The watchdog’s investigators found that BA ought to have identified weaknesses in its security and resolved them with security measures that were available at the time.

ICO investigators found that BA did not detect the attack on 22 June 2018 itself but was alerted by a third party more than two months afterwards.

The attacker is believed to have potentially accessed the personal data of around 429,612 customers and staff. This included names, addresses, payment card numbers and CVV numbers of 244,000 BA customers.

“Their failure to act was unacceptable and affected hundreds of thousands of people, which may have caused some anxiety and distress as a result. That’s why we have issued BA with a £20m fine – our biggest to date,” said Information Commissioner Elizabeth Denham.

Because the BA breach happened in June 2018, before the UK left the EU, the ICO investigated on behalf of all EU authorities as lead supervisory authority under the GDPR.