British Airways has been fined £20m (U.S. $26 million) by the U.K.’s Information Commissioner’s Office for a 2018 breach that impacted more than 400,000 customers. That penalty is significantly less than what the ICO had indicated it intended to do.
In a press statement accompanying the monetary penalty notice, the ICO stated:
An ICO investigation found the airline was processing a significant amount of personal data without adequate security measures in place. This failure broke data protection law and, subsequently, BA was the subject of a cyber-attack during 2018, which it did not detect for more than two months.
ICO investigators found BA ought to have identified weaknesses in its security and resolved them with security measures that were available at the time.
Addressing these security issues would have prevented the 2018 cyber-attack being carried out in this way, investigators concluded.
Read more of the press release that recaps the incident and its impact.