The UK Information Commissioner’s Office (ICO) has fined British Airways (BA) £20 million ($25 million). The commission found the airline responsible for failing to protect over 400,000 of its customers’ personal and financial data, which was leaked during a cyber-attack incident in 2018. While significant, the financial penalty is around 25 times lower than the “worst-case” scenario.

Following a two-year investigation, the ICO found that British Airways was processing “a significant” amount of its customers’ private data without proper security measures. Had the airline identified and resolved weaknesses of its security measures, it could have prevented the 2018 cyber-attack “being carried out in this way,” the commission outlined in a statement on October 16, 2020.

British Airways cyber-attack

British Airways revealed that it had been subject to a cyber-attack on September 6, 2018.

“From 22:58 (BST) August 21, 2018, until 21:45 (BST) September 5, 2018, inclusive, the personal and financial details of customers making bookings on ba.com and the airline’s app were compromised,” the airline’s statement read.

At that time, it was estimated that hackers obtained personal data of around 380,000 BA’s customers, including names, addresses, credit card numbers, expiry dates and security codes, but not travel or passport details, as the airline stressed.

“We discovered that something had happened but we didn’t know what it was [on the evening of September 5, 2018]. So overnight, teams were trying to figure out the extent of the attack,” the airline’s Chairman and Chief Executive Alex Cruz was quoted as saying by the BBC at that time. “The first thing was to find out if it was something serious and who it affected or not. The moment that actual customer data had been compromised, that’s when we began immediate communication to our customers.”

However, the ICO announcement indicates that the data breach actually affected around 429,612 BA’s customers and staff. Among them, there are around 244,000 people whose  names, addresses, payment card numbers, and CVV numbers are believed to have been accessed by the attacker.

Historic £20M fine against BA

“Their failure to act was unacceptable and affected hundreds of thousands of people, which may have caused some anxiety and distress as a result,” ICO investigators outlined in the statement. “That’s why we have issued BA with a £20m fine – our biggest to date.”

However, the biggest fine to date is actually not that great when taken into the account that the initial, worst-case estimation pointed to a 25 times greater sum.

After the information about the BA’s cyber-attack became public in 2018, experts counted that the airline might be subject to up to £489 million ($637 million) fine ‒ 4% of its annual global revenue in 2017.

In June 2019, ICO issued the airline with a notice of intent to fine, finally revealing the actual size of the proposed financial penalty. In reality, the authority was proposing a £183.39 million fine against the air carrier, which was equal to approximately 1.5% of BA’s revenue in 2017.

So how did the fine go from the intended £183.39 million to the actual £20 million? Well, COVID-19 happened. “As part of the regulatory process the ICO considered both representations from BA and the economic impact of COVID-19 on their business before setting a final penalty,” the authority explained in its latest statement.