(Reuters) – Britain's data protection watchdog said on Friday that it has been fined British Airways PLC £ 20 million – its biggest sanction to date – for failing to protect data that left more than 400,000 of its customers' details the subject of a 2018 Cyberattack.
The Office of the Information Commissioner (ICO) said that its investigators found that BA should have identified weaknesses in its security and resolved them with available measures at that time, which would have prevented the data breach.
"Their failure to act was unacceptable and affected hundreds of thousands of people, which may have caused some anxiety and worry as a result," the ICO said.
BA said in a statement that it warned customers as soon as they became aware of
The penalty was significantly less than the £ 1
On Monday, IAG announced that they were replacing BA CEO Alex Cruz with Aer Lingus CEO Sean Doyle with immediate effect.
Announcement of the sanction, the regulator said its investigators found that BA did not detect the attack on 22 June 2018 – but was warned by a third party more than two months later, on 5 September.
The ICO added that it was not clear whether or when the company would have identified the attack itself. sade.
Explaining why the final penalty was significantly lower than first proposed, the regulator said it was considering BA representations and the economic effects of the coronavirus pandemic, which has boosted the travel industry. recogni says that we have made significant improvements to the security of our systems since the attack and that we fully cooperated with its investigation, "BA said in a statement.
Other major cyber incidents in the recent past include another London-listed airline EasyJet PLC, which earlier this year said hackers had access to e-mail and travel information for about 9 million customers.
In March, US hotel operator Marriott International Inc. was hit by its second computer incident in less than two years, with information about 5 , 2 million hotel guests affected by a crime.