The Information Commissioner’s Office (ICO) said Friday that the “airline was processing a significant amount of personal data without adequate security measures in place” at the time of a cyber-attack in 2018.
The attacker, according to ICO, “potentially accessed the personal data of approximately 429,612 customers and staff,” including the names, addresses, payment card numbers and CVV numbers of 244,000 customers.
An investigation also showed that the attacker potentially accessed usernames and passwords of British Airways employee and administrator accounts as well as usernames and PINs of up to 612 of the airline’s Executive Club accounts.
British Airways, according to the data regulator, did not detect the data breach for more than two months. The attacks occurred in late June 2018 and British Airways learned about it in early September, when the airline reported the problem to the data regulator.
“People entrusted their personal details to British Airways and the airline failed to take adequate measures to keep those details secure,” Elizabeth Denham, Information Commissioner, said.
She added that such a failure was unacceptable, as it potentially affected hundreds of thousands of people.
ICO said it has considered the economic impact of COVID-19 on the British Airways’ business before settling on the final penalty, which is the largest ever levied by the regulator.