British Airways is facing a record fine of £183m for last year’s breach of its security systems, which lead to the theft of customer data from the airlines website.
The Information Commissioner’s Office (ICO) has told the International Airlines Group (IAG) that BA will be penalised under the Data Protection Act, and that the fine will be equivalent to 1.5% of its worldwide turnover for 2017.
BA boss Alex Cruz said the airline was “surprised and disappointed” while IAG chief executive Willie Walsh said BA would make representations to the ICO about the scale of the fine, and could appeal it.
The record penalty is the first under tough new GDPR data protection rules that came into effect in 2018. Facebook was last year fined £500,000 by the ICO for a data breach under the old rules.
The ICO said the incident in part involved user traffic to the site being diverted to a fraudulent site, through which the data was “harvested” by cyber attackers.
The ICO said the incident took place after users of British Airways’ website were diverted to a fraudulent site. Through this false site, details of about 500,000 customers were harvested by the attackers, the ICO said.
Information Commissioner Elizabeth Denham said: “People’s personal data is just that – personal. When an organisation fails to protect it from loss, damage or theft, it is more than an inconvenience.
“That’s why the law is clear – when you are entrusted with personal data, you must look after it. Those that don’t will face scrutiny from my office to check they have taken appropriate steps to protect fundamental privacy rights.”
The incident was first disclosed on 6 September 2018 and BA had initially said approximately 380,000 transactions were affected, but the stolen data did not include travel or passport details.
The ICO said the incident was believed to have begun in June 2018.
The General Data Protection Regulation (GDPR) came into force last year and was the biggest shake-up to data privacy in 20 years.
The penalty imposed on BA is the first one to be made public since those rules were introduced, which make it mandatory to report data security breaches to the information commissioner.
It also increased the maximum penalty to 4% of turnover. The BA penalty amounts to 1.5% of its worldwide turnover in 2017, less than the possible maximum.