British Airways fined £20 Million for the 2018 data breach


British Airways has been fined 20 million pounds from the initial proposal of 183 million pounds by the Information Commissioner’s Office (ICO) after a data breach in 2018.

The penalty was reduced due to the ongoing economic impact of the COVID crisis. The ICO findings found out that British Airways have been acting illegally in its treatment of customer data.

The 2018 data breach affected over 400,000 personal and debit card data. Regarding this, the ICO said:

“The attacker is believed to have potentially accessed the personal data of approximately 429,612 customers and staff. This included names, addresses, payment card numbers and CVV numbers of 244,000 BA customers.”

“Other details thought to have been accessed include the combined card and CVV numbers of 77,000 customers and card numbers only for 108,000 customers.”

An investigation concluded that sufficient security measures, such as multi-factor authentication, were not in place at that time.

British Airways were unaware about the attack but were later notified by a third party more than two months after the attack. Then the airline subsequently notified the ICO.