(United Kingdom) The initially massive British Airways fine has been resolved with a whimper rather than a bang for the ICO. TechCrunch reports as follows:
One of the biggest data breaches in U.K. corporate history has been closed off by regulators not with a bang, but a whimper. Today the Information Commissioner’s Office, the U.K.’s data watchdog, announced that it would be fining British Airways £20 million ($25.8 million) for a data breach in which the personal details of more than 400,000 customers were leaked after BA suffered a two-month cyberattack and lacked adequate security to detect and defend itself against it. It had originally planned to fine BA nearly £184 million, but it reduced the penalty in light of the economic impact that BA (like other airlines) has faced as a result of COVID-19, as well as work BA had undertaken to address the issue, and the ICO learning more about the nature of the attack in a further investigation.
Even with the reduced penalty size, the ICO is sticking by its original conclusions:
“People entrusted their personal details to BA and BA failed to take adequate measures to keep those details secure,” said Information Commissioner Elizabeth Denham in a statement. “Their failure to act was unacceptable and affected hundreds of thousands of people, which may have caused some anxiety and distress as a result. That’s why we have issued BA with a £20 million fine – our biggest to date. When organisations take poor decisions around people’s personal data, that can have a real impact on people’s lives. The law now gives us the tools to encourage businesses to make better decisions about data, including investing in up-to-date security.”
(Privacy press clipping sourced via TechCrunch)
Jurisdiction: United Kingdom