Regulators fined British Airways more than $ 25 million on Friday for allegedly botching a massive data breach that affected more than 400,000 people.
The airline has not implemented any security measures that could have prevented the June 2018 cyber attack that caused the breach, which may have revealed the personal data of around 429,612 British Airways customers and employees, the UK Information Commissioner’s Office said on Friday.
The British airline also only learned of the attack when a third party reported it for the company more than two months after it occurred.
“Your failure to act has been unacceptable, affecting hundreds of thousands of people, potentially creating fear and distress,” said UK Information Commissioner Elizabeth Denham in one statementadding that the £ 20m fine was the largest her agency has imposed to date.
The fine is much less than the £ 183.4 million (approximately $ 236.4 million) fine that the office has stated planned British Airways imposed last year. Officials said they had examined the airline’s accounts of the attack, along with “the economic impact of COVID-19 on their business”, before setting the final amount.
The hacker who attacked British Airways may have had access to the names, addresses and credit card information of around 244,000 customers, according to regulators. The attack may also have exposed usernames and passwords for the airline’s employee and administrator accounts, as well as personal identification numbers for usernames for more than 600 Executive Club accounts.
British Airways could have taken several inexpensive steps to prevent the risk of such an attack, such as: B. restricting access to applications and protecting accounts with “multi-factor authentication”.
It is also unclear whether the airline itself discovered the attack, which was considered a “major failure” given the number of people involved and the potential financial damage that regulators said could have been caused.
“We alerted customers as soon as we learned of the criminal attack on our systems in 2018, and we are sorry that we did not meet our customers’ expectations,” said British Airways in a statement on Friday. “We are pleased that the ICO recognizes that we have significantly improved the security of our systems since the attack and that we have fully cooperated with the investigation.”