Jack Taylor | Getty Images News | Getty Images
LONDON – British Airways was fined £ 20 million (US $ 26 million) by the Information Commissioner's Office (ICO) in the UK for a data breach in 2018 that included BA 429,612 personal and financial information -Customers have been disclosed.
After nearly two years of investigation, the ICO concluded that British Airways lacks sufficient security measures to process significant amounts of personal data.
The regulator said the bug violated data protection law.
Although the fine is less than the £ 183 million ICO would impose in 2019, it is still the largest fine ever imposed by the watchdog, which says that the "economic impact of Covid-19" had to be considered.
The attacker is believed to have accessed the names, addresses, payment card numbers and CVV numbers of 244,000 British Airways customers.
A further 77,000 customers had their combined card and CVV numbers accessed and a further 108,000 customers only had their card numbers accessed.
The regulator said the usernames and passwords of up to 612 BA Executive Club members may also have been compromised.
It took British Airways more than two months to determine that a data breach had occurred.
Information Commissioner Elizabeth Denham said in a statement: "People who have entrusted BA with their personal information and BA have not taken adequate measures to keep that information secure."
"Your failure to act has been unacceptable, affecting hundreds of thousands of people, potentially creating fear and distress. We have therefore fined BA £ 20 million – our largest to date."
“When companies make poor decisions about people's personal information, it can have a real impact on people's lives. The law now gives us the tools to encourage companies to make better decisions about data, including investing in current security. "
A British Airways spokesperson told CNBC: "We alerted customers as soon as we became aware of the criminal attack on our systems in 2018 and we are sorry we did not meet our customers' expectations."
"We are pleased that the ICO recognizes that we have improved the security of our systems significantly since the attack and that we have fully cooperated with the investigation."