British Airways has been fined £20 million for its failure to protect the personal data of more than 400,000 customers.
The Information Commissioner’s Office (ICO) had originally announced its intention to fine BA £183 million in July 2019 following a security breach in June 2018.
An investigation by the ICO concluded that the airline was processing volumes of personal data and had not implemented adequate security measures.
The security breach went on undetected for two months. The organization says that BA should have found the weaknesses in its system and been able to resolve them.
Subscribe to our newsletter below
The breach involved customer information such as log-in information, payment card and travel booking details.
The ICO says BA could have employed various measures to “mitigate or prevent the risk” of an attack on its network including simulating a cyber-attack on its systems and protecting employee and third party accounts with multi-factor authentication.
The carrier said in July last year that it would defend its position and the final penalty from the ICO is said to reflect the carrier’s “representations” as well as the impact of COVID-19 on its business.
The ICO announced its intent to fine Marriott £99 million just days after the BA announcement last year.
The organization says the regulatory process is ongoing.
This year a number of travel companies have admitted to security breaches in their systems including MGM Resorts, easyJet and a second attack on Marriott.
Security experts have highlighted the heightened threat to travel companies as the industry industry recovers from the pandemic.
In August alone, Carnival said it was investigating an attack that accessed the personal data of employees and guests while CWT admitted it had suffered a cyber security breach.