British Airways fined $36.5m for major data breach


By Dylan Bushell-Embling
Tuesday, 20 October, 2020

British Airways fined $36.5m for major data breach

The UK Information Commissioners' Office (ICO) has fined British Airways a record £20 million ($36.5 million) for a data breach in 2018 which exposed the personal and financial details of more than 400,000 of its customers.

An investigation into the breach found that the airline was processing a significant amount of personal data without adequate security measures in place.

This failure resulted in the 2018 cyber attack which the airline failed to detect for more than two months, the ICO said.

This breach involved names, addresses, payment card numbers and CVV numbers of 244,000 BA customers. The attackers are also believed to have accessed the combined card and CVV numbers of 77,000 customers and card numbers only for 108,000 customers, as well as usernames and passwords of BA employee and administrator accounts.

The investigation found that BA should have identified weaknesses in its security and resolved them with security measures that were widely available even at the time. This could have prevented the breach, according to Information Commissioner Elizabeth Denham.

“People entrusted their personal details to BA and BA failed to take adequate measures to keep those details secure,” she said.

“Their failure to act was unacceptable and affected hundreds of thousands of people, which may have caused some anxiety and distress as a result. That’s why we have issued BA with a £20m fine — our biggest to date.”

Preventive measures BA could have taken but did not include limiting access to applications, data and tools to only that which are required to fulfil a user’s role; undertaking rigorous testing, in the form of simulating a cyber attack, on the business’s systems; and protecting employee and third-party accounts with multi-factor authentication.

Because the BA breach happened prior to Brexit the ICO investigated on behalf of all EU authorities as lead supervisory authority under the GDPR.

The size of the final penalty took into account representations from BA and the economic impact of COVID-19.

Image credit: ©stock.adobe.com/au/T^i^

Related Articles

Managing third-party cybersecurity risks in the supply chain

Third-party cybersecurity breaches occur when the victim's defences are compromised through a...

Countering MFA fatigue demands a rethink on user authentication

While MFA remains effective, highly motivated threat actors are using tactics that seek to...

Four common zero-trust misconceptions derailing cybersecurity success

John Kindervag, creator of the zero-trust concept, explores the four most common zero-trust...

Content from other channels on our network

Traffic lights 'talk to' driverless vehicles in Sydney

Electrical contractor fined $40K

Path cleared for smarter street lighting

Future Made in Australia at risk, Smart Energy Council warns

Air quality improving in Australian homes

Transforming government workflows with AI

WA Police Force launches comprehensive ICT tender

Boomi completes comprehensive IRAP reassessment

Trustwave appointed to Department of Defence ICTPA panel

Government services failing to engage younger Australians: report

World's southernmost base station operating in Antarctica

Ultra-precise motion sensor could enable GPS-free navigation

Australian CubeSats successfully launched into space

Kordia leaves JV delivering NZ PSN's LMR network

Nokia enters partnership to bring 5G to Egypt

  • All content Copyright © 2024 Westwick-Farrow Pty Ltd