British Airways’ fine for a data breach in 2018 has been sharply reduced because of new information and worries over its impact on the struggling airline in the face of the coronavirus pandemic.
The UK’s data protection regulator reduced the fine to £20m for a breach that exposed personal and financial data of more than 400,000 customers in 2018 from the proposed £183m announced last year.
The Information Commissioner’s Office said the fine, although its biggest to date, had been cut as it took into account the financial damage Covid-19 had caused as part of a wider regulatory position set out in April.
The lower fine, provisionally set in July 2019, will come as a relief to the airline, which had vigorously contested the scale of the original penalty.
“We are pleased the ICO recognises that we have made considerable improvements to the security of our systems since the attack and that we fully co-operated with its investigation,” BA said in a statement.
The ICO said that the attacker potentially accessed sensitive information of BA customers, including names, addresses, payment card numbers and CVV codes.
The regulator also pointed to a number of measures that the company could have taken to reduce the risk, such as rigorous testing of its cyber-defences and multi-factor authentication.
The ICO added that following the attack, BA had made “considerable improvements” to its cyber security.
“People entrusted their personal details to BA and BA failed to take adequate measures to keep those details secure,” said information commissioner Elizabeth Denham.
“Their failure to act was unacceptable and affected hundreds of thousands of people, which may have caused some anxiety and distress as a result.”
The ICO fine follows the General Data Protection Regulation, or GDPR, the EU’s new rules on data protection, which came into force in May 2018.
It allows for fines of up to 4 per cent of global revenues or €20m, whichever is greater. Under the old regime the maximum penalty was £500,000.
Ann Bevitt, a partner at law firm Cooley, said: “The ICO’s pragmatism may mean that this fine does not have a significant deterrent effect on other companies which are not in compliance with the GDPR.”
She added that the fine was significantly smaller than the €35m imposed on H&M by the Hamburg data protection authority earlier this month for monitoring hundreds of employees.
For BA, a reduced fine is some good news amid a difficult period as the coronavirus crisis has taken a heavy toll on the company.
It has been forced to cut about 10,000 jobs, about a quarter of its workforce, and reduce flight schedules and has been plunged into tough negotiations with unions.
On Monday, it installed a new chief executive, Aer Lingus boss Sean Doyle, to replace Alex Cruz.
Mr Cruz stepped down after a turbulent four years that will be remembered for a string of crises including the 2018 data breach and other IT and systems failures that led to cancellations and delays for passengers.