The airline British Airways has been fined £20 million by the Information Commissioner’s Office, the British counterpart of the CNIL. The British data protection authority accuses it of poor protection of its customers’ personal data.

Indeed, in the summer of 2018, the airline’s website was hacked. The customers of the company were then redirected to a fraudulent website that collected for cybercriminals personal data such as name, surname, and means of payment.

The ICO investigation concluded that British Airways could have identified the security vulnerabilities and taken appropriate measures to stop the theft of data from nearly 400,000 customers. The ICO further reported that the vulnerability took more than two months to be detected, constituting a serious breach of the company’s obligations under GDPR.

The fine, originally set at £183 million, has been revised downwards due to the impact on the airline economy of the Covid-19 health crisis.