We speak your language

0330 0947777

Ba fined £20m for poor IT security leading to theft of personal data

BA fined £20m for poor IT security leading to theft of personal data

Jul 13th, 2021

Fiona Kingscott, Solicitor

British Airways has been fined a record-breaking £20m, plus has paid out an undisclosed sum to settle a group action, for breaching data protection law.  Its system was hacked into, the thieves taking customers’ payment card details as they entered them, including the CVV codes. 

Over 420,000 people were affected.  This number would have been smaller, except that the breach went undetected for two months.  An external security researcher noticed it.  It is not clear whether and when BA would have noticed it itself, and this was considered a severe failing.

It may have been a compromise of their booking site, or of a third-party provider of code used in the booking site.  It may have been an insider, or an outsider.  But there were measures BA could easily and cheaply have taken which would have reduced the risk, such as:

  • continually vetting the third-party code they were using;
  • limiting access;
  • rigorous testing (simulating cyber-attacks); and
  • using multi-factor authentication.

The two main failures of BA were: (a) not investing enough time and money in their system security; and (b) not noticing the breach for two months.  They do not appear to have been on the ball. 

The Information Commissioner’s Office (ICO)

The ICO initially said it was going to fine them £183m, but reduced it to £20m, in part because of the financial hardship airlines are suffering, at present, due to the pandemic.  They may not be as lenient in the future.

It is clear that the ICO is going to enforce the data protection law rigorously.  Personal data is very valuable.  Cyber criminals are getting cleverer.  The victims of these attacks suffer anxiety as well as potential loss. 

Protect your data

The law requires companies to take ‘appropriate’ technical and organisational measures to protect personal data.  The ICO will be more lenient if you have invested in your system security to an appropriate level.  The ICO felt BA had not done this, and it was not acceptable to not have done so.

The ICO said “People entrusted their personal details to BA and BA failed to take adequate measures to keep those details secure”.

Ticketmaster was similarly fined £1.25m for (a) failing to assess the risk of using a chat-bot, hosted by a third party, on its payment page, (b) failing to put in place measures to negate that risk, and (c) failing to identify the source of suggested fraudulent activity in a timely manner.  Again, payment card details were stolen.  The ICO said the fine “will send a message to other organisations that looking after their customers’ personal details safely should be at the top of their agenda”. 

If you need to talk to us on this issue please contact us in absolute confidence.

<< back to news and articles
Contact Us

How can we help?

Wherever you are, whatever you need, we’re here to help. Use this form to tell us what’s happening and we’ll be in touch.

By submitting this form you are providing your information to Langleys and agreeing to our terms of use and privacy notice.