British Airways has been fined Â£20 million over a 2018 data hack, the Information Commissionerâs Office (ICO) has announced.
Investigators found that the airline should have identified the security weaknesses which enabled the attack to take place.
The carrier failed to protect the personal and financial details of more than 400,000 customers, the ICO said.
The ICO said the Â£20 million fine is the biggest ever penalty it has issued, and follows a cyber-attack on British Airways in 2018, which the company did not detect for more than two months.
Its subsequent investigation found the airline was âprocessing a significant amount of personal data without adequate security measures in placeâ, breaking data protection law.
ICO investigators found BA ought to have identified weaknesses in its security and resolved them with security measures that were available at the time, which would have prevented the 2018 breach.
Information Commissioner Elizabeth Denham said: âPeople entrusted their personal details to BA and BA failed to take adequate measures to keep those details secure.
âTheir failure to act was unacceptable and affected hundreds of thousands of people, which may have caused some anxiety and distress as a result. Thatâs why we have issued BA with a Â£20 million fine â our biggest to date.
âWhen organisations take poor decisions around peopleâs personal data, that can have a real impact on peopleâs lives. The law now gives us the tools to encourage businesses to make better decisions about data, including investing in up-to-date security.â
In a statement, British Airways said: âWe alerted customers as soon as we became aware of the criminal attack on our systems in 2018 and are sorry we fell short of our customersâ expectations.
âWe are pleased the ICO recognises that we have made considerable improvements to the security of our systems since the attack and that we fully co-operated with its investigation.â
British Airways, Data breach, Information Commissioner’s Office
World news – GB – BA fined Â£20m after personal and bank details of 400,000 customers hacked