An ICO investigation found that the airline was processing a significant amount of personal data without adequate security measures being in place. This failure broke data protection law and, subsequently, British Airways was the subject of a cyberattack during 2018, but which the company didn’t detect for more than two months.

ICO investigators found that British Airways ought to have identified weaknesses in its security and resolved them with security measures that were available at the time. Investigators concluded that addressing these security issues would have prevented the 2018 cyberattack being carried out in this way.

Speaking about the case, Information Commissioner Elizabeth Denham said: “People entrusted their personal details to British Airways and the company failed to take adequate measures to keep those details secure. The company’s failure to act was unacceptable and affected hundreds of thousands of people, which may have caused some anxiety and distress as a result. That’s why we have issued British Airways with a £20 million fine. This is the biggest fine we have issued to date”

Further, Denham stated: “When organisations take poor decisions around personal data, that can have a real impact on people’s lives. The law now gives us the tools to encourage businesses to make better decisions about data, including investing in up-to-date security.”

Mark Wilding, Business Development Director says “it’s imperative that data security protocols are adhered to. This demonstrates that the ICO, quire rightly, are going to punish companies financially, if they get it wrong”