The UK Data Protection Authority has fined British Airways (BA) a million pounds sterling 20 Violations of customer and employee privacy laws imposed. This corresponds to the equivalent of around 22 million euros. The Information Commissioner’s Office (ICO) accuses the airline of “having processed a significant amount of personal data without adequate security measures”. As a result, there was a cyber attack that the company had not discovered for over two months.

Don’t miss any news! With our daily newsletter you will receive all the news from heise online from the past 24 hours every morning.

Lower fine for loss of sales Last year the ICO initially announced that it would set the fine at around 204 million euros want. This would have corresponded to 1.5 percent of the turnover of the BA in the previous financial year worldwide. According to the General Data Protection Regulation (GDPR), on the basis of which the supervisory authority initiated the procedure, a maximum penalty of up to four percent of the transaction amount would have been possible. The ICO justifies the fact that the fine is now significantly lower with current sales losses at BA due to the corona pandemic. Further objections of the group against the original calculation approach were taken into account.

In the attack 2018 cybercriminals potentially had access to personal data of around 429. 612 customers and Staff members. This included the names, addresses and credit card information including the Card Validation Value (CVV) security codes of 244. 000 Customers. There were also usernames and passwords of employees such as administrators and holders of premium frequent flyer cards.

IT security now “significantly improved” The ICO investigators are of the opinion that the company has the security gaps must discover and close earlier. Common protective measures such as limited access rights, two-factor authentication and “thorough tests” of the infrastructure would have been sufficient. Some of the precautions would have been available through setting options in the Microsoft operating system that BA was using. On the other hand, the company significantly improved its IT security after the attack.

The British data protection officer Elizabeth Denham emphasized that this is the highest penalty that the ICO has imposed so far. The passengers had entrusted their personal data to BA, the failure to protect them was “unacceptable” and had unsettled many of those affected.

Since the breakdown in June 2018 took place and thus at a point in time before Brexit, the ICO, according to its own information, investigated the case on behalf of the European Data Protection Committee (EDSA) as the lead supervisory authority within the framework of the GDPR. The sanctions were approved by the EDPB through the usual cooperation process. British data protection law is still based on the GDPR, even if British Prime Minister Boris Johnson wants to change this.

H&M accepts fines in Germany