The Information Commissioner’s Office (ICO) has fined British Airways (BA) £20m for failing to protect the personal and financial details of more than 400,000 of its customers.

BA was the subject of a cyber-attack in June 2018, which it did not detect for more than two months. The attacker is believed to have potentially accessed the personal data of approximately 429,612 customers and staff. The data stolen included log in, payment card and travel booking details as well as name and address information.

The ICO investigation found that BA was processing significant amounts of personal data without adequate security measures in place, and that BA ought to have identified weaknesses in its security and resolved them using measures available at the time, none of which would have been excessively expensive. ICO investigators found that BA did not detect the attack themselves and were alerted by a third party more than two months after the attack took place. This was considered to be a severe failing, given the number of people affected and the potential for significant financial harm to have occurred.

The ICO issued BA with a notice of intent to fine in June 2019, following which it considered representations from BA and the economic impact of COVID-19. The £20m fine is the largest fine issued by the ICO to date, although it is considerably lower than the £183m that the ICO originally said it intended to issue back in 2019.

Amy BradburyThis is the ICO’s first major fine under the GDPR and will serve as a warning to other companies as to what to expect if they fail to protect customers from data breaches.”

, Data Protection senior associate, said: “

Further information may be found here.