British Airways has today, 08 July 2019, been handed a huge £183 million fine following an “extensive investigation”, the Information Commission’s Office (ICO) has confirmed.
It means that the airline has become the first UK firm to be fined under the new General Data Protection Regulation (GDPR).
The fine – by far and away the largest on record – relates to a cyber incident notified to the regulator by British Airways in September 2018, but believed to have begun in June 2018.
As the date of the breach falls after the date of the introduction of GDPR, the British flight operator has been made subject to the tough new rules and regulations.
Under the new regime, the maximum penalty for data breaches increased to four per cent of worldwide turnover. While the airline’s penalty only amounts to 1.5 per cent of global turnover, it still towers – roughly 367 times as high – over the previous record penalty: £500,000 imposed on Facebook for its role in the Cambridge Analytica data scandal.
According to ICO, the investigation found that a “variety of information” was compromised by “poor security arrangements at the company”. The information included the log in, payment card, and travel booking details as well as name and address information of approximately 500,000 passengers.
The details of the investigation show that the incident involved hackers diverting users of the British Airways website to a fraudulent page, in which customers would unwittingly hand over sensitive data.
Commenting on the report, Information Commissioner Elizabeth Denham said: “People’s personal data is just that – personal. When an organisation fails to protect it from loss, damage or theft it is more than an inconvenience. That’s why the law is clear – when you are entrusted with personal data you must look after it. Those that don’t will face scrutiny from my office to check they have taken appropriate steps to protect fundamental privacy rights.”
Willie Walsh, chief executive of the airline’s owner IAG, said the company would be making representations to the ICO.
“We intend to take all appropriate steps to defend the airline’s position vigorously, including making any necessary appeals,” he said.