An investigation from the ICO into the 2018 breach found that the airline broke data protection law by processing personal data without adequate security measures in place.

The regulator found that if BA had identified and addressed these security issues, the cyber attack would have been prevented. The attacker is believed to have potentially accessed the data of around 429,000 BA customers and staff, including names, addresses, payment card numbers and CVV numbers of 244,000 customers.

BA did not detect the attack in June 2018 but was alerted by a third party in September 2018, and then notified the ICO, the investigation found.

The £20m fine is the biggest issued by the ICO to date but is considerably lower than the £183m fine originally intended by the regulator.

BA was issued with a notice of intent to fine in June 2019 and the ICO considered representations from BA and the economic impact of Covid-19 on the airline’s business as part of the regulatory process.

The regulator noted that BA has improved its IT security since the cyber attack.

Information commissioner Elizabeth Denham said: “People entrusted their personal details to BA and BA failed to take adequate measures to keep those details secure. Their failure to act was unacceptable and affected hundreds of thousands of people, which may have caused some anxiety and distress as a result.”

A spokesperson for BA said: “We alerted customers as soon as we became aware of the criminal attack on our systems in 2018 and are sorry we fell short of our customers’ expectations.

“We are pleased the ICO recognises that we have made considerable improvements to the security of our systems since the attack and that we fully co-operated with its investigation.”