The ICO had stated their intention to fine the airline £183m following a cyberattack in 2018 which saw half a million customers' details harvested by hackers. But that was reduced to £20m because of the impact of the COVID-19 pandemic, with an investigation finding that BA had breached the DPA because it was processing "a significant amount of personal data without adequate security measures in place". A total of 17 penalties were issued last year according to official figures in the ICO's work to recover fines report. The second largest fine, £18.4m, was handed out to Marriott International Inc on October 30, also for a breach of the DPA.