British Airways has been landed with a £20mln for a data breach that saw details of 400,000 customers hacked in 2018.
It is the largest fine ever handed out by the UK data protection watchdog, the Information Commissioner’s Office (ICO), which said BA’s failure to act was unacceptable.
“BA ought to have identified weaknesses in its security and resolved them with security measures that were available at the time,” the ICO added.
“Addressing these security issues would have prevented the 2018 cyber-attack being carried out in this way,” investigators concluded.
However, the outcome might have been far worse for the cash-strapped airline with the provisional estimate of the fine put at £183mln.
The ICO said it had decided on the final reduced amount after it considered both representations from BA and the economic impact of COVID-19 on its business.
Information Commissioner Elizabeth Denham said: “People entrusted their personal details to BA and BA failed to take adequate measures to keep those details secure.”
Details of people’s names, addresses, payment card numbers and verification codes were accessed said the ICO with 77,000 customers having both their card number and verification code stolen.
ICO said its investigators found that BA did not detect the attack on 22 June 2018 but was alerted by a third party more than two months afterwards.
“Since the attack, BA has made considerable improvements to its IT security,” it added.
BA, part of airline group International Consolidated Airlines (LON:IAG), has been battling the impact of COVID-19 restrictions on air travel.
The airline recently launched a €2.75bn rights issue to shore up its balance sheet and said it will take until at least 2023 for passenger demand to recover to 2019 levels.