British Airways has been fined £20m by the Information Commissioner’s Office (ICO) for a data breach which affected more than 400,000 customers.

The breach took place in 2018 and affected both personal and credit card data.

The ICO originally considered a much larger fine but said it had taken into account the economic impact of Covid-19.

It is still the largest penalty ever issued by the ICO.

The incident took place when BA’s systems were compromised by its attackers and modified to harvest customers’ details as they were input.

The data stolen included log in, payment card and travel booking details as well name and address information.

An investigation concluded that sufficient security measures, such as multi-factor authentication, were not in place at the time.