British Airways (BA) is facing a record fine of £183 million for last year’s data breach of its security systems and is set to lodge an appeal against the decision.
The carrier is owned by International Consolidated Airlines Group (IAG) and said it was “surprised and disappointed” by the penalty from the Information Commissioner’s Office (ICO).
The proposed fine relates to a cyber incident notified to the ICO by BA in September 2018. At the time, BA said hackers had carried out a “sophisticated, malicious criminal attack” on its website.
The ICO said in a statement that it was the biggest penalty it had ever handed out for infringements of the General Data Protection Regulation (GDPR) and the first to be made public under new rules.
ICO said this incident in part involved user traffic to the BA website being diverted to a fraudulent site. Through this false site, customer details were harvested by the attackers. Personal data of approximately 500,000 customers were compromised in this incident, which is believed to have begun in June 2018.
The ICO’s investigation has found that a variety of information was compromised by poor security arrangements at the company, including log in, payment card, and travel booking details as well name and address information.
Information Commissioner, Elizabeth Denham said: “People’s personal data is just that – personal. When an organisation fails to protect it from loss, damage or theft it is more than an inconvenience.
“That’s why the law is clear – when you are entrusted with personal data you must look after it. Those that don’t will face scrutiny from my office to check they have taken appropriate steps to protect fundamental privacy rights.”
The ICO said BA has cooperated with the ICO investigation and has made improvements to its security arrangements since these events came to light.
ICO has been investigating this case as lead supervisory authority on behalf of other EU Member State data protection authorities. It has also liaised with other regulators. Under the GDPR ‘one stop shop’ provisions the data protection authorities in the EU whose residents have been affected will also have the chance to comment on the ICO’s findings.
The ICO said it will consider carefully the representations made by the company and the other concerned data protection authorities before it takes its final decision.
BA has 28 days to appeal the decision. Willie Walsh, chief executive of IAG, has said in media reports that BA would be making representations to the ICO. “We intend to take all appropriate steps to defend the airline’s position vigorously, including making any necessary appeals,” he added.
BA chairman and chief executive, Alex Cruz also said the airline was “surprised and disappointed” in the ICO’s initial finding.
The British Airways fine is equivalent to 1.5 per cent of BA’s worldwide revenue in 2017, or about four pounds for every passenger the airline is expected to fly this year.
If the same breach had occurred before May 2018, when the old law was still in effect, the maximum fine the British data regulator could have handed out was just £500,000. This what Facebook got fined in October by the ICO, and was the maximim it could fine Facebook – for the social network’s role in the Cambridge Analytica scandal – because those violations took place before GDPR came into effect.