The UK’s Information Commissioner’s Office (ICO) has announced that the General Data Protection Regulation (GDPR) financial penalty that was imposed on British Airways in July 2019 has been reduced to £20 million ($26 million) from £184 million ($238 million).
The massive financial penalty was imposed on the International Airlines Group-owned airline over a 2018 data breach that exposed the personal information of approximately 430,000 of its customers. The ICO investigation revealed British Airways had not implemented proper security protocols to protect the large amount of customer data on its systems and, as a result of those security failures, hackers gained access to customers’ credit card information and employee credentials.
British Airways was informed by a third party that its systems had been compromised two months after hackers had gained access to its e-commerce system. The ICO expressed concern about the failure to detect the breach and was not convinced that British Airways would even have identified the breach had it not been for the third-party notification.
After being notified about the breach, prompt action was taken to expel the hackers from its systems and customers were notified about the breach. British Airways cooperated fully with the ICO investigation and has made significant improvements to system security.
British Airways appealed the £184 million financial penalty. ICO considered the representations of British Airways when reconsidering the financial penalty together with the economic impact COVID-19 has had on the firm and reduced the penalty to £20 million. Even though there was a sizable reduction in the penalty amount, it is still the largest ever GDPR fine imposed on a company by the ICO.
“People entrusted their personal details to BA, and BA failed to take adequate measures to keep those details secure. Their failure to act was unacceptable and affected hundreds of thousands of people, which may have caused some anxiety and distress as a result. That’s why we have issued BA a £20m fine – our biggest to date,” said ICO Commissioner Elizabeth Denham.