The fine, intended to penalise ‘poor security arrangements’ that allowed the attack to take place, is the largest ever announced by the ICO and its first under new GDPR rules
The Information Commissioner’s Office (ICO) has said it plans to fine British Airways a record £183.39 million for a data breach last year that affected half a million customers.
The fine is the ICO’s largest to date and the first to be published under stricter data protection rules that took effect in May 2018.
The airline said it was “surprised and disappointed” by the decision, and said it planned to make representations to the regulator ahead of a final decision.
The hack, which began in June 2018, was in effect during the busy summer holiday period and is believed to have affected some half a million users, the ICO said.
The regulator said attackers had compromised details including logins, payment card numbers and travel booking details, as well name and address data due to “poor security arrangements” at BA.
“People’s personal data is just that – personal,” said information commissioner Elizabeth Denham. “When an organisation fails to protect it from loss, damage or theft it is more than an inconvenience.
“That’s why the law is clear – when you are entrusted with personal data you must look after it. Those that don’t will face scrutiny from my office to check they have taken appropriate steps to protect fundamental privacy rights.”
The ICO said BA had cooperated with the investigation and had improved its security arrangements. The ICO carried out the probe as lead regulator on behalf of other EU member state data authorities.
BA will have the opportunity to make representations in the case ahead of a final decision, and said it planned to do so.
“We intend to take all appropriate steps to defend the airline’s position vigorously, including making any necessary appeals,” said Willie Walsh, chief executive of BA owner IAG.
BA chairman and chief executive Alex Cruz said the airline was “surprised and disappointed” by the initial finding.
“British Airways responded quickly to a criminal act to steal customers’ data,” he said. “We have found no evidence of fraud/fraudulent activity on accounts linked to the theft. We apologise to our customers for any inconvenience this event caused.”
The GDPR data protection rules that took effect last year increase possible fines from a maximum of £500,000 to up to 4 percent of a company’s annual turnover.
The proposed BA fine is about 1.5 percent of the airline’s £11.6bn worldwide turnover in 2018.
The ICO’s previous record fine of £500,000 was levied on Facebook for its involvement in the Cambridge Analytica scandal.