The Information Commissioner’s Office (ICO) says it intends to fine British Airways £183.39 million for a 2018 data breach that affected 500,000 customers.
BA disclosed the breach in September, saying bookings through its website and app had been compromised, with personal and financial details of customers potentially stolen. The ICO says the incident in part involved user traffic to the website being diverted to a fraudulent site.
Initially, BA said the breach began in August 2018, but the ICO found it may have started in June.
Announcing the proposed fine, the ICO said its investigation “found that a variety of information was compromised by poor security arrangements at the company, including log-in, payment card and travel booking details as well as name and address information”.
The fine is the first major use of Europe’s new General Data Protection Regulation (General Data Protection Regulation: a new and more stringent EU regime for data protection which will apply in the UK from May 25, 2018) rules, which puts more responsibility on companies to ensure customer data is secure. Under the regulation, the ICO has the right to impose fines of up to €20 million or 4 per cent of annual global turnover, whichever is higher.
Since the incident, BA has improved its security measures and the airline will be allowed to “make representations” to the ICO in relation to the proposed fine, according to the commissioner.
Information Commissioner Elizabeth Denham said: “People’s personal data is just that – personal. When an organisation fails to protect it from loss, damage or theft, it is more than an inconvenience. That’s why the law is clear – when you are entrusted with personal data you must look after it. Those that don’t will face scrutiny from my office to check they have taken appropriate steps to protect fundamental privacy laws.”
BA’s parent company International Airlines Group (IAG) says the fine equates to 1.5 per cent of the airline’s turnover for the year to 31 December 2017, with chief executive Willie Walsh saying the carrier “will be making representations to the ICO in relation to the proposed fine” and that it will “take all appropriate steps to defend the airline’s position vigorously, including making any necessary appeals”.
The carrier’s CEO Alex Cruz commented: “We are surprised and disappointed in this initial finding from the ICO. British Airways responded quickly to a criminal act to steal customers’ data. We have found no evidence of fraud/fraudulent activity on accounts linked to the theft. We apologise to our customers for any inconvenience this event caused.”