sb.scorecardresearch

Published 16:33 IST, October 18th 2020

British Airways fined £20 MN for data breach affecting 400,000 customers

“A significant amount of personal data without adequate security measures in place” was being processed by UK’s British Airways, ICO said in a release.

Reported by: Zaini Majeed
Follow: Google News Icon
  • share
British Airways
null | Image: self

On October 17, British Airways was fined £20 MN by the Information Commissioner’s Office (ICO) in a data breach scam that compromised the information of more than 400,000 customers. “A significant amount of personal data without adequate security measures in place” was being processed by the UK’s leading airliner company that eventually led to data protection law violation resulting in a mega cyber-attack in 2018 that escaped scrutiny for approximately 2 months.

In an official report, the ICO watchdog said that it fined BA after identifying glitches with respect to security measures, which, otherwise, would have prevented the 2018 cyber-attack. The ICO investigators concluded that BA’s failure of safeguarding the customer’s personal and sensitive information violated data protection law and hence a penalty, keeping in consideration the COVID-19 outbreak, has been charged.

Information Commissioner, Elizabeth Denham said in the report, “People entrusted their personal details to BA and BA failed to take adequate measures to keep those details secure.”

Further, she added, “Their failure to act was unacceptable and affected hundreds of thousands of people, which may have caused some anxiety and distress as a result.”

BA’s fine of £20m fine is being called as ICO’s biggest penalties to date imposed by the investigators. “When organizations take poor decisions around people’s personal data, that can have a real impact on people’s lives,” Denham reiterated, with a viewpoint that protection of customer information registered with firms was of utmost importance. “Law now gives us the tools to encourage businesses to make better decisions about data, including investing in up-to-date security,” she said. 

Read:  63.5% Increase In Cybercrime Cases In India In 2019; Most Cases In Karnataka: NCRB

Read: Scale Of New Zealand Cyber Attacks Unprecedented: Minister

Cyber attack of 2018

Ahead of UK’s exit from the EU, the ICO initiated an investigation on British Airways as lead supervisory authority a GDPR. ICO dispatched a notice of intent to fine as a regulatory process in June 2019 post-investigation, which was approved by the other EU DPAs. In 2018, a cyber attacker accessed the personal data of approximately 429,612 customers and staff and compromised the names, addresses, payment card numbers, and CVV numbers of 244,000 BA customers. While credit and debit card numbers of an estimated 108,000 customers were compromised, as many as 77,000 customers’ card CVVs were stolen by the cybercriminals. Furthermore, the investigators found that the usernames, PINS, and passwords of over 612 executive clubs were leaked in the attack. 

While the cyberattack occurred on the BA network, it was found that the loopholes in measures such as access to applications, data and tools limits, rigorous testing on business’ systems, and lack of multi-factor authentication on third-party accounts lead to the attack. “ICO investigators found that BA did not detect the attack on 22 June 2018 themselves but was alerted by a third party more than two months afterward on 5 September,” investigators said in the report. 

Read: Red Cross Chief: Cyber Attacks Increasing On Hospitals

Read: US: Military's Top Cyber Official Defends More Aggressive Stance

Updated 16:34 IST, October 18th 2020