UK’s flag carrier airline, British Airways (BA) has been fined $25.85 million (20 million pounds) by the country’s information commissioner for not having sufficient data protection mechanism to safeguard personal and financial details of more than 400,000 of its customers.
In its statement to the public, Information Commissioner’s Office (ICO) stated that the airline was functioning without adequate security measures in place and was incompetent enough to not detect the 2018 cyber attack for two months.
Elizabeth Denham from the ICO remarked that BA’s “failure to act was unacceptable and affected hundreds of thousands of people, which may have caused some anxiety and distress as a result.’’
European Union’s General Data Protection Rules imposed in 2018 mandate fines of $23 million (20 million euros) or 4% of annual global turnover, whichever is greater for organizations that are found guilty of the most serious violations.
ICO’s penalty to British Airways is the largest for such an instance, The regulator stated that it considered representations from BA and the economic impact of the coronavirus crisis on their business before setting a final penalty, which was considerably less than the 183.4 million pounds proposed last year.
The regulator said it considered representations from BA and the economic impact of the coronavirus crisis on their business before setting a final penalty, which was considerably less than the $237.04 million (183.4 million pounds) proposed last year.
The ICO responded that its investigators found airlines should have identified vulnerabilities in its security and resolved them with measures available at the time, which would have prevented the cyber attack.