British Airways has been fined £20 million over a 2018 data hack, the Information Commissioner's Office (ICO) has announced.
Investigators found the airline should have identified the security weaknesses which enabled the attack to take place.
The carrier failed to protect the personal and financial details of more than 400,000 customers, the ICO said.
It did not detect the hack for more than two months.
READ MORE: British Airways chief executive Alex Cruz steps down
Information Commissioner Elizabeth Denham said: "People entrusted their personal details to BA, and BA failed to take adequate measures to keep those details secure.
"Their failure to act was unacceptable and affected hundreds of thousands of people, which may have caused some anxiety and distress as a result.
"That's why we have issued BA with a £20 million fine - our biggest to date.
"When organisations take poor decisions around people's personal data, that can have a real impact on people's lives.
"The law now gives us the tools to encourage businesses to make better decisions about data, including investing in up-to-date security."
British Airways announced in July last year that the ICO was proposing to issue a fine of more than £183 million.
This is more than nine times the £20 million the airline has eventually been fined.
The ICO said it considered "representations from BA and the economic impact of Covid-19 on their business" before setting the final penalty.
A British Airways spokeswoman said: "We alerted customers as soon as we became aware of the criminal attack on our systems in 2018 and are sorry we fell short of our customers' expectations.
"We are pleased the ICO recognises that we have made considerable improvements to the security of our systems since the attack and that we fully co-operated with its investigation."
The attacker is believed to have potentially accessed the personal data of approximately 429,612 customers and staff.
This included the names, addresses, payment card numbers and the three digits on the back of cards of 77,000 customers, and card numbers only for 108,000 customers.
Usernames and passwords of British Airways' employee and administrator accounts, as well as the usernames and PINs of up to 612 of the airline's Executive Club accounts, were also potentially accessed.
Investigators found that the carrier did not detect the attack on June 22 2018 and more than two months passed before they were alerted by a third party on September 5.
It is "not clear whether or when BA would have identified the attack themselves", the ICO said.
"This was considered to be a severe failing because of the number of people affected and because any potential financial harm could have been more significant."
The ICO found there were "numerous measures" British Airways could have used to prevent or reduce the impact of the attack.
These include undertaking rigorous testing on its systems and protecting accounts with multi-factor authentication.
None of these would have involved "excessive cost or technical barriers" and some were available through the operating system being used by the airline.
The watchdog said the carrier "acted promptly" once it became aware of the hack, and has since made "considerable improvements to its IT security".
Why are you making commenting on HeraldScotland only available to subscribers?
It should have been a safe space for informed debate, somewhere for readers to discuss issues around the biggest stories of the day, but all too often the below the line comments on most websites have become bogged down by off-topic discussions and abuse.
heraldscotland.com is tackling this problem by allowing only subscribers to comment.
We are doing this to improve the experience for our loyal readers and we believe it will reduce the ability of trolls and troublemakers, who occasionally find their way onto our site, to abuse our journalists and readers. We also hope it will help the comments section fulfil its promise as a part of Scotland's conversation with itself.
We are lucky at The Herald. We are read by an informed, educated readership who can add their knowledge and insights to our stories.
That is invaluable.
We are making the subscriber-only change to support our valued readers, who tell us they don't want the site cluttered up with irrelevant comments, untruths and abuse.
In the past, the journalist’s job was to collect and distribute information to the audience. Technology means that readers can shape a discussion. We look forward to hearing from you on heraldscotland.com
Comments & Moderation
Readers’ comments: You are personally liable for the content of any comments you upload to this website, so please act responsibly. We do not pre-moderate or monitor readers’ comments appearing on our websites, but we do post-moderate in response to complaints we receive or otherwise when a potential problem comes to our attention. You can make a complaint by using the ‘report this post’ link . We may then apply our discretion under the user terms to amend or delete comments.
Post moderation is undertaken full-time 9am-6pm on weekdays, and on a part-time basis outwith those hours.
Read the rules hereCommments are closed on this article