British Airways was hit Monday with the largest penalty to date under the European Union’s General Data Protection Regulation, a £183.39m (U.S. $230 million) fine stemming from the compromised data of nearly 500,000 customers.
The nearly quarter-billion-dollar penalty, announced by the U.K.’s Information Commissioner’s Office (ICO), amounts to nearly 1.5 percent of British Airways’ annual revenue for the financial year that ended Dec. 31, 2017.
The fine relates to a cyber incident notified to the (ICO) by British Airways in September 2018. This incident in part involved user traffic to the British Airways Website being diverted to a fraudulent site. Through this false site, customer details were harvested by the attackers. Personal data of approximately 500,000 customers was compromised in this incident, which is believed to have begun in June 2018.
The ICO, in a statement, said its investigation “found that a variety of information was compromised by poor security arrangements at the company, including log in, payment card, and travel booking details as well name and address information.”
“People’s personal data is just that: personal. When an organization fails to protect it from loss, damage or theft it is more than an inconvenience,” said Information Commissioner Elizabeth Denham. “That’s why the law is clear. When you are entrusted with personal data you must look after it. Those that don’t will face scrutiny from my office to check they have taken appropriate steps to protect fundamental privacy rights.”
British Airways has cooperated with the ICO investigation and has made improvements to its security arrangements since these events came to light, the ICO statement adds.
The ICO has been investigating this case as lead supervisory authority on behalf of other EU member state data protection authorities and in consultation with other regulators. Under the GDPR “one stop shop” provisions, the data protection authorities in the EU whose residents have been affected will also have the chance to comment on the ICO’s findings.
“We are surprised and disappointed in this initial finding from the ICO that it intends to issue the airline with a penalty notice,” responded Alex Cruz, British Airways’ chairman and chief executive. “[We] responded quickly to a criminal act to steal customers’ data. We have found no evidence of fraud/fraudulent activity on accounts linked to the theft. We apologize to our customers for any inconvenience this event caused.”
“British Airways will be making representations to the ICO in relation to the proposed fine. We intend to take all appropriate steps to defend the airline’s position vigorously, including making any necessary appeals,” added Willie Walsh, chief executive of parent company International Airlines Group.