BA Faces Record £183.39m Fine For Massive Data Breach

The Information Commissioner’s Office (ICO) has said it plans to fine British Airways a record £183.39 million for a data breach last year that affected half a million customers.

The fine is the ICO’s largest to date and the first to be published under stricter data protection rules that took effect in May 2018.

The airline said it was “surprised and disappointed” by the decision, and said it planned to make representations to the regulator ahead of a final decision.

On 6 September of last year BA said it had discovered a hack of its systems that had resulted in customers’ data being harvested by attackers as it was entered.

Security breach

The hack, which began in June 2018, was in effect during the busy summer holiday period and is believed to have affected some half a million users, the ICO said.

The regulator said attackers had compromised details including logins, payment card numbers and travel booking details, as well name and address data due to “poor security arrangements” at BA.

“People’s personal data is just that – personal,” said information commissioner Elizabeth Denham. “When an organisation fails to protect it from loss, damage or theft it is more than an inconvenience.

“That’s why the law is clear – when you are entrusted with personal data you must look after it. Those that don’t will face scrutiny from my office to check they have taken appropriate steps to protect fundamental privacy rights.”

The ICO said BA had cooperated with the investigation and had improved its security arrangements.  The ICO carried out the probe as lead regulator on behalf of other EU member state data authorities.

‘Disappointed’

BA will have the opportunity to make representations in the case ahead of a final decision, and said it planned to do so.

“We intend to take all appropriate steps to defend the airline’s position vigorously, including making any necessary appeals,” said Willie Walsh, chief executive of BA owner IAG.

BA chairman and chief executive Alex Cruz said the airline was “surprised and disappointed” by the initial finding.

“British Airways responded quickly to a criminal act to steal customers’ data,” he said. “We have found no evidence of fraud/fraudulent activity on accounts linked to the theft. We apologise to our customers for any inconvenience this event caused.”

The GDPR data protection rules that took effect last year increase possible fines from a maximum of £500,000 to up to 4 percent of a company’s annual turnover.

The proposed BA fine is about 1.5 percent of the airline’s £11.6bn worldwide turnover in 2018.

The ICO’s previous record fine of £500,000 was levied on Facebook for its involvement in the Cambridge Analytica scandal.

Matthew Broersma

Matt Broersma is a long standing tech freelance, who has worked for Ziff-Davis, ZDnet and other leading publications

Recent Posts

Craig Wright Sentenced For Contempt Of Court

Suspended prison sentence for Craig Wright for “flagrant breach” of court order, after his false…

2 days ago

El Salvador To Sell Or Discontinue Bitcoin Wallet, After IMF Deal

Cash-strapped south American country agrees to sell or discontinue its national Bitcoin wallet after signing…

2 days ago

UK’s ICO Labels Google ‘Irresponsible’ For Tracking Change

Google's change will allow advertisers to track customers' digital “fingerprints”, but UK data protection watchdog…

2 days ago

EU Publishes iOS Interoperability Plans

European Commission publishes preliminary instructions to Apple on how to open up iOS to rivals,…

3 days ago

Momeni Convicted In Bob Lee Murder

San Francisco jury finds Nima Momeni guilty of second-degree murder of Cash App founder Bob…

3 days ago