Investigators for the Information Commissioner’s Office (ICO) found bosses should have spotted security failings which let the attack happen.
They did not protect users’ personal and financial details and did not notice the 2018 hack for weeks, the ICO added.
Information Commissioner Elizabeth Denham said: “Their failure to act was unacceptable and affected hundreds of thousands of people, which may have caused some anxiety and distress.
“That’s why we have issued BA with a £20million fine – our biggest to date. When organisations take poor decisions around people’s personal data, that can have a real impact on people’s lives. The law now gives us the tools to encourage businesses to make better decisions about data, including investing in up-to-date security.”
The ICO warned in July last year BA might be fined more than £183million, but now said it considered “representations from BA and the economic impact of Covid-19” on the firm before setting the fine.
An airline spokeswoman said BA was “sorry we fell short of our customers’ expectations. We are pleased the ICO recognises that we have made considerable improvements to the security of our systems since the attack and that we fully co-operated with its investigation”.
The ICO said the investigation found the airline was “processing a significant amount of personal data without adequate security measures”, breaking data protection law.
Investigators said BA ought to have identified data weaknesses and resolved them with security measures that were available at the time.