Rafly G. Tech 10.17.2020 04:Oct AM EDT

British Airways Data Breach Scandal: ICO Fined $26 Million

British Airways faces a $26m (£20m) fine over a malicious data breach in 2018.

Attackers have successfully harvested over 500.000 customers' data & affected over 380,000 transactions, as BBC reported.

However, the $26m amount is incredibly smaller than the Information Commissioner's Office (ICO) issued in 2018: $236m (£183m). The economic impact of the pandemic is the cause of the decreasing sum.

Historically, it is still the biggest fine ICO has ever issued to this date. To put things into perspective, ICO fined Facebook for £500k, Uber for £400k, Yahoo for £250k, and Sony for £350k for years.

British Airways' Boss Apology

Álex Cruz, Chief Executive Officer of British Airways, has apologized for the "sophisticated, malicious criminal attack."

"We are committed to working with any customer who may have been financially affected by this attack, and we will compensate them for any financial hardship that they may have suffered," said Cruz, as reported by CNN.

"It was name, email address, credit card information - that would be credit card number, expiration date, and the three-digit [CVV] code on the back of the credit card," Cruz added.

The company's failure to protect its customers' data has weighed negative perspectives over the community.

This month, Cruz stepped down from his position at BA and will be replaced by Sean Doyle. Cruz took charge as the company's CEO in 2016.

How Did Data Breach on British Airways' Website Happen?

The attack occurred between 22:58 BST (British Summer Time) on August 21, 2018, until September 5. It wasn't until two months until a security researcher alerted BA and the ICO.

As mentioned above, login credentials, credit card info, and personal data of over 500.000 customers were affected. Fortunately, it didn't include a passport and travel details. Customers who made a transaction during those timeframes and dates were advised to change their PINs & passwords online.

Although the company did not explicitly mention the hack's details, cyber experts have weighed in some suggestions. Some believe that the website's loopholes are the primary cause of the breach.

Prof. Alan Woodward (University of Surrey) believes that an attacker might successfully get into the website's script, as he told BBC. As a customer types their personal data and credit card numbers, the planted script extracted the details and sent them.

This breach wasn't the first time a giant company's website became a target of a group of malicious hackers. In the same year, hackers harvested payment data from 40.000 Ticketmaster customers from the UK.

"You can put the strongest lock you like on the front door," he said, "but if the builders have left a ladder up to a window, where do you think the burglars will go?"