Regulators fined British Airways more than $25 million Friday for allegedly bungling a massive data breach that affected more than 400,000 people.
The airline failed to implement security measures that could have prevented the June 2018 cyberattack that caused the breach, which potentially exposed the personal data of some 429,612 British Airways customers and staff, the UK’s Information Commissioner’s Office said Friday.
The British carrier also didn’t learn about the attack until a third party flagged it for the company more than two months after the it occurred, officials said.
“Their failure to act was unacceptable and affected hundreds of thousands of people, which may have caused some anxiety and distress as a result,” UK Information Commissioner Elizabeth Denham said in a statement, adding that the 20 million-pound fine was the biggest her agency has issued to date.
The penalty is much smaller than the fine of 183.4 million pounds (about $236.4 million) that the office said it planned to impose on British Airways last year. Officials said they considered the airline’s representations about the attack along with “the economic impact of COVID-19 on their business” before settling on the final amount.
The hacker who attacked British Airways may have had access to the names, addresses and credit card information for some 244,000 customers, regulators said. The attack may have also exposed usernames and passwords for the airline’s employee and administrator accounts along with usernames personal identification numbers for more than 600 “Executive Club” accounts, officials said.
British Airways could have taken several inexpensive steps to prevent the risk of such an attack, such as limiting access to applications and protecting accounts with “multi-factor authentication,” officials said.
It’s also unclear whether the airline would have spotted the attack on its own, which was considered a “severe failing” because of the number of people affected and the potential financial damage that could have been done, according to regulators.
“We alerted customers as soon as we became aware of the criminal attack on our systems in 2018 and are sorry we fell short of our customers’ expectations,” British Airways said in a statement Friday. “We are pleased the ICO recognizes that we have made considerable improvements to the security of our systems since the attack and that we fully co-operated with its investigation.”
Credit: Source link