British Airways has been fined € 22 million for breaches of GDPR legislation

The ICO - British Information Office has decided to impose a fine of £ 20 million (€ 22 million) for a breach of the GDPR.

Cyber ​​attack by an unknown perpetrator

For a violation of the General Regulation on the Protection of Personal Data and in particular the principles of security and liability, a major airline was fined one million. The number of victims reached approximately 430,000 people, and not only customers but also the company's own employees were injured. Commissioner Elizabeth Denham said the airline did not have sufficient financial and personal data protection. A cyber incident occurred in June 2018, when an unknown perpetrator struck his cyber attack.

The amount of stolen data was not small

Addresses, names, numbers and CVV codes of customers' payment cards were stolen by an unknown cyber perpetrator. The attacker even managed to obtain login data from employees' and even administrators' accounts. Data from Executive Club members' accounts has been stolen as well. According to the investigation report, the stolen data on the server was unencrypted. The company also made mistakes in catching and identifying the attack, as they were not aware of the case even two months after the incident, when the third party has revealed this breach.

The amount of the fine could be up to 202 million euros

The British Information Office said the company should have focused more on protecting personal data, such as multi-factor authentication or testing the network with a simulated cyber attack. The ICO (Information Commissioner's Office) initially wanted to impose a fine of up to 183 million pounds, which is up to 202 million euros. The Information Office considered the airline's comments and their impact on COVID-19 on their economic activity. The final verdict of the office was 20 million pounds, and British Airways thus avoided a 202 million fine in euros.