The ICO is proposing to fine British Airways £183.39 million under GDPR legislation.
Following an investigation the Information Commissioner’s Office (ICO) has issued a notice of its intention to fine British Airways £183.39 million for infringements of the General Data Protection Regulation (GDPR).
The proposed fine relates to a cyber incident notified to the ICO by British Airways in September 2018. This incident in part involved user traffic to the British Airways website being diverted to a fraudulent site. Through this false site, customer details were harvested by the attackers.
Personal data of approximately 500,000 customers was compromised in this incident, which is believed to have begun in June 2018.
The ICO’s investigation has found that a variety of information was compromised by “poor security arrangements” at British Airways, including login, payment card and travel booking details, as well name and address information.
Information Commissioner Elizabeth Denham said: “People’s personal data is just that – personal. When an organisation fails to protect it from loss, damage or theft it is more than an inconvenience. That’s why the law is clear – when you are entrusted with personal data you must look after it. Those that don’t will face scrutiny from my office to check they have taken appropriate steps to protect fundamental privacy rights.”
British Airways has cooperated with the ICO investigation and has made improvements to its security arrangements since these events came to light. The company will now have opportunity to make representations to the ICO as to the proposed findings and sanction.
The fine, if it goes ahead, would be the biggest the ICO has ever imposed and the first under the new General Data Protection Regulation (GDPR), which came into effect in May 2018. It amounts to around 1.5% of British Airways’ £11.6 billion worldwide turnover last year.
“We are surprised and disappointed in this initial finding from the ICO,” said Alex Cruz, the chair and chief executive of British Airways is quoted as saying.
“British Airways responded quickly to a criminal act to steal customers’ data. We have found no evidence of fraud/fraudulent activity on accounts linked to the theft. We apologise to our customers for any inconvenience this event caused.”
Willie Walsh, the chief executive of BA’s parent company, International Airlines Group (IAG), said: “We intend to take all appropriate steps to defend the airline’s position vigorously, including making any necessary appeals.”