British Airways has been fined £20m by the Information Commissioner’s Office (ICO) for failing to protect the personal and financial details of 400,000 of its customers.

An ICO investigation found the airline was processing a significant amount of personal data without adequate security measures in place. This failure broke data protection law and, subsequently, BA was the subject of a cyber attack during 2018, which it did not detect for more than two months.

ICO investigators found BA ought to have identified weaknesses in its security and resolved them with security measures that were available at the time. Addressing these security issues would have prevented the 2018 cyber attack being carried out in this way, investigators concluded.

The penalty has however been restricted from the initial notice proposing that a penalty of £183m be imposed.

Under the General Data Protection Regulation an organisation can be fined 4% of its global turnover.

Information Commissioner Elizabeth Denham said: “People entrusted their personal details to BA and BA failed to take adequate measures to keep those details secure.

“Their failure to act was unacceptable and affected hundreds of thousands of people, which may have caused some anxiety and distress as a result. That’s why we have issued BA with a £20m fine – our biggest to date.

“When organisations take poor decisions around people’s personal data, that can have a real impact on people’s lives. The law now gives us the tools to encourage businesses to make better decisions about data, including investing in up-to-date security.”

Since the attack, BA has made considerable improvements to its IT security.