An ICO investigation found that the airline was processing a significant amount of personal data without adequate security measures in place. This failure was in breach of data protection laws and, subsequently, BA was the subject of a cyber-attack during 2018, which it did not detect for more than two months. ICO investigators found that BA ought to have identified weaknesses in its security and resolved them with security measures that were available at the time. Addressing these security issues would have prevented the 2018 cyber-attack happening in this way, investigators concluded.

Because the BA breach happened in June 2018, before the UK left the EU, the ICO investigated on behalf of all EU authorities as lead supervisory authority under the GDPR. The penalty and action have been approved by the other EU DPAs through the GDPR’s cooperation process.

In June 2019 the ICO issued BA with a notice of intent to fine. As part of the regulatory process the ICO considered both representations from BA and the economic impact of COVID-19 on their business before setting a final penalty.

The attacker is believed to have potentially accessed the personal data of approximately 429,612 customers and staff. This included names, addresses, payment card numbers and CVV numbers of 244,000 BA customers. Other details thought to have been accessed include the combined card and CVV numbers of 77,000 customers and card numbers only for 108,000 customers. Usernames and passwords of BA employee and administrator accounts as well as usernames and PINs of up to 612 BA Executive Club accounts were also potentially accessed.

The ICO found that there were numerous measures BA could have used to mitigate or prevent the risk of an attacker being able to access the BA network. These include:

• limiting access to applications, data and tools to only that which are required to fulfil a user’s role;
• undertaking rigorous testing, in the form of simulating a cyber-attack, on the business’ systems; and
• protecting employee and third-party accounts with multi-factor authentication.

ICO investigators also found that BA did not detect the attack on 22 June 2018 itself, but were alerted by a third party more than two months after on 5 September. Once they became aware BA acted promptly and notified the ICO.

It was not clear whether or when BA would have identified the attack itself. This was considered to be a severe failing because of the number of people affected and because any potential financial harm could have been more significant, the ICO said. To read the ICO’s announcement in full and for a link to the penalty notice, click here.