British Airways was fined 20 million pounds ($26 million) by the U.K. data protection watchdog over a breach that compromised the personal and financial details of more than 400,000 customers, a cut to a much heftier fine initially planed by the regulator.
The U.K. Information Commissioners’ Office on Friday said its investigation into a 2018 cyber attack at the company found that “the airline was processing a significant amount of personal data without adequate security measures in place,” exposing people’s data unnecessarily. The fine is the ICO’s biggest so far.
“Their failure to act was unacceptable and affected hundreds of thousands of people, which may have caused some anxiety and distress,” U.K. data protection chief Elizabeth Denham said in the statement. “When organizations take poor decisions around people’s personal data, that can have a real impact on people’s lives.”
The final penalty isa fraction of the 183.4 million pounds the ICO had initially announced it planned to levy last year. BA said its systems were compromised from Aug. 21 through Sept. 5, 2018 and that about 380,000 transactions had been affected, advising people to contact credit-card providers. It said the stolen data didn’t include travel or passport details.
In July,BA set aside 22 million euros ($26 million) as a provision for the incident.
“The ICO recognizes that we have made considerable improvements to the security of our systems since the attack and that we fully co-operated with its investigation,” a BA spokeswoman said Friday in an email.
The ICO probe was done under European Union data protection rules that took effect in May 2018 and gave regulators for the first time the powers to slap companies with fines of as high as 4% of their global annual sales. The biggest fine levied under the rules so far remains a 50 million-euro penalty by France’s privacy regulator against Google.
— With assistance by Siddharth Vikram Philip
Source: Read Full Article