The United Kingdom’s Information Commissioner’s Office (ICO) has fined British Airways (BA, London Heathrow) GBP20 million pounds (USD26 million) for failing to protect the personal and payment card details of around 430,000 of its customers and staff, the subject of a 2018 cyber attack, it said in a statement explaining its actions on October 16.
An ICO investigation found that the airline was processing a significant amount of personal data without adequate security measures in place. This broke data protection law and, subsequently, BA was the victim of a cyber-attack, on June 22, 2018, which it failed to detect until a third party noticed it two months later, on September 5.
“Their failure to act was unacceptable and affected hundreds of thousands of people, which may have caused anxiety and distress as a result,” said Elizabeth Denham, information commissioner, adding that the fine was the ICO’s biggest to date. “When organisations take poor decisions around people’s personal data, that can have a real impact on people’s lives. The law now gives us the tools to encourage businesses to make better decisions about data, including investing in up-to-date security.”
The IAG International Airlines Group-owned carrier responded in its own statement: “We alerted customers as soon as we became aware of the criminal attack on our systems in 2018 and are sorry we fell short of our customers’ expectations. We are pleased the ICO recognises that we have made considerable improvements to the security of our systems since the attack and that we fully cooperated with its investigation.”
However, the penalty was considerably less than the GBP183.4 million (USD238.7 million) the ICO proposed last year, which the regulator explained was in part due to the crisis the airline industry is currently facing.
On October 12, IAG announced it was replacing, with immediate effect, BA chief executive Alex Cruz with Aer Lingus (EI, Dublin International) CEO Sean Doyle.
In related news, on October 8, London-based hedge fund Marshall Wace disclosed that it had acquired a 3% stake in IAG. Last month, the airline group raised EUR2.74 billion euros (USD3.23 billion) to reduce its debt and ride out the pandemic, and the Financial Times reported that the bet on IAG was a sign that “there is value in UK stocks”. Shares in IAG, which has a primary listing on the London Stock Exchange and secondary listings in Spain, have lost more than three-quarters of their value this year, according to Reuters.
And, in Spain, IAG has guaranteed the Spanish government that it will carry out a restructuring of its board of directors in the hypothetical event that the European Union and the UK fail to close a Brexit agreement. The aim is that subsidiary Iberia (IB, Madrid Barajas) can maintain its current flight rights in Europe, the business newspaper Expansión reported. In the event of a hard Brexit, IAG said it would convene an extraordinary shareholders' meeting to make changes to the bylaws with the aim that the board is made up mainly of European shareholders.