The U.K. Information Commissioners' Office on Friday said its investigation into a 2018 cyber attack at the company found that "the airline was processing a significant amount of personal data without adequate security measures in place", exposing people's data unnecessarily.
"People entrusted their personal details to BA, and BA failed to take adequate measures to keep those details secure".
"That's why we have issued BA with a £20million fine - our biggest to date".
It's additionally unclear whether or not the airline would have noticed the assault by itself, which was thought-about a "extreme failing" due to the variety of folks affected and the potential monetary harm that might have been achieved, based on regulators.
The fine is considerably smaller than the £183m that the ICO originally said it meant to issue back in 2019, reports BBC. The ICO notes that, but for the Covid-19 Policy which allows it to take account of the impacts of the pandemic, the original fine would have been £24m.
The ICO acknowledged that BA acted quickly and appropriately once the breach was discovered. The law now gives us tools that encourage more efficient decision-making when it comes to data, including investments in up-to-date security technologies, "commented Elizabeth Denman, an ICO member".
The cyberattack occurred on June 22nd, 2018, according to the ICO, but British Airways only became aware of the problem on September 5th when it was alerted by someone outside of the company.
The attacker is believed to have accessed the names, addresses, payment card numbers and CVV numbers of 244,000 British Airways customers.
A British Airways spokeswoman said it was sorry it fell short of its customers expectations but was pleased the ICO recognised it had made considerable improvements to the security of its systems since the attack.
A further 77,000 customers had their combined card and CVV numbers accessed, and an additional 108,000 customers had just their card numbers accessed.
Usernames and passwords of employee and administrator accounts were also exposed, as well as usernames and PINs of up to 612 BA Executive Club accounts.
The ICO said that BA had failed to implement sufficient security around the data, even though measures that could have prevented the hack such as multi-factor authentication were built into the operating system, and also failed to adequately test its systems.
In April, BA announced plans to cut up to 10,000 jobs, 30 per cent of its global workforce.