BA Faces Record £183.39m Fine For Massive Data Breach

The Information Commissioner’s Office (ICO) has said it plans to fine British Airways a record £183.39 million for a data breach last year that affected half a million customers.

The fine is the ICO’s largest to date and the first to be published under stricter data protection rules that took effect in May 2018.

The airline said it was “surprised and disappointed” by the decision, and said it planned to make representations to the regulator ahead of a final decision.

On 6 September of last year BA said it had discovered a hack of its systems that had resulted in customers’ data being harvested by attackers as it was entered.

Security breach

The hack, which began in June 2018, was in effect during the busy summer holiday period and is believed to have affected some half a million users, the ICO said.

The regulator said attackers had compromised details including logins, payment card numbers and travel booking details, as well name and address data due to “poor security arrangements” at BA.

“People’s personal data is just that – personal,” said information commissioner Elizabeth Denham. “When an organisation fails to protect it from loss, damage or theft it is more than an inconvenience.

“That’s why the law is clear – when you are entrusted with personal data you must look after it. Those that don’t will face scrutiny from my office to check they have taken appropriate steps to protect fundamental privacy rights.”

The ICO said BA had cooperated with the investigation and had improved its security arrangements.  The ICO carried out the probe as lead regulator on behalf of other EU member state data authorities.

‘Disappointed’

BA will have the opportunity to make representations in the case ahead of a final decision, and said it planned to do so.

“We intend to take all appropriate steps to defend the airline’s position vigorously, including making any necessary appeals,” said Willie Walsh, chief executive of BA owner IAG.

BA chairman and chief executive Alex Cruz said the airline was “surprised and disappointed” by the initial finding.

“British Airways responded quickly to a criminal act to steal customers’ data,” he said. “We have found no evidence of fraud/fraudulent activity on accounts linked to the theft. We apologise to our customers for any inconvenience this event caused.”

The GDPR data protection rules that took effect last year increase possible fines from a maximum of £500,000 to up to 4 percent of a company’s annual turnover.

The proposed BA fine is about 1.5 percent of the airline’s £11.6bn worldwide turnover in 2018.

The ICO’s previous record fine of £500,000 was levied on Facebook for its involvement in the Cambridge Analytica scandal.

Matthew Broersma

Matt Broersma is a long standing tech freelance, who has worked for Ziff-Davis, ZDnet and other leading publications

Recent Posts

Google Jarvis AI Extension Leaked On Chrome Store

Seemingly accidental leak reveals Google is developing Jarvis AI extension that can browse the web…

2 days ago

Amazon Mulls New Multi-Billion Dollar Investment In Anthropic – Report

Amazon is reportedly in talks to pump billions of dollars more into AI start-up Anthropic,…

3 days ago

FTX’s Caroline Ellison Begins Her Two Year Prison Sentence

Star witness for the US prosecution of FTX founder Sam Bankman-Fried, has begun her two…

3 days ago

More Layoffs For iRobot Staff After Abandoned Amazon Deal

After axing 31 percent of its workforce when it failed to be acquired by Amazon,…

3 days ago

Mozilla Foundation Confirms Layoffs, Eliminates Advocacy Division

Mozilla Foundation axes 30 percent of its staff, and is eliminating its Advocacy Division that…

3 days ago

Google To Make MFA Mandatory Next Year

Improving security. Mandatory multi-factor authentication (MFA) is coming to the Google Cloud by the end…

3 days ago