British Airways (BA) faces a record fine of 183 million pounds for data breach in 2018. The airline, owned by IAG, says it was ‘surprised and disappointed’ by the penalty from The Information Commissioner’s Office (ICO) . The proposed penalty of 183 million pounds represents 1.5 per cent of BA’s worldwide revenue in 2017. In September 2018, British Airways’ chairman and chief executive, Alex Cruz, revealed ‘a very sophisticated, malicious attack’.
Cybercriminals had stolen personal and financial information from thousands of its customers who booked directly with the airline over a two-week spell in August and early September. British Airways maintains that there is no evidence of harm to passengers.
The Information Commissioner’s Office (ICO) says it intends to issue the airline with a penalty notice under the Data Protection Act. The ICO said it was the biggest penalty it had ever handed out and the first to be made public under new rules.
As per the ICO, the incident took place after users of British Airways’ website were diverted to a fraudulent site. Details of around 500,000 customers were harvested by the attackers through this false site. The incident was first disclosed on Sept. 6, 2018. BA had initially said about 380,000 transactions were affected, but the stolen data did not include travel or passport details. The ICO believes that the incident had begun in June 2018.
As per Information Commissioner Elizabeth Denham, people’s personal data is just that – personal. When an organization fails to protect it from loss, damage or theft, it is more than an inconvenience. She added that when you are entrusted with personal data, you must look after it. Those that don’t will face scrutiny from my office to check they have taken appropriate steps to protect fundamental privacy rights.
The General Data Protection Regulation (GDPR) came into force last year and was the biggest shake-up to data privacy in 20 years. The penalty imposed on BA is the first one to be made public.
BA has 28 days to appeal. Willie Walsh, chief executive of IAG, said British Airways would be making representations to the ICO to vigorously defend the airline’s position.
Alex Cruz, British Airways’ chairman and chief executive, said the airline was “surprised and disappointed” in the ICO’s initial finding. He added that British Airways responded quickly to a criminal act to steal customers’ data. We have found no evidence of fraud/fraudulent activity on accounts linked to the theft. He said, “We apologize to our customers for any inconvenience this event caused.”
The penalty is divided up between the other European data authorities, while the money that comes to the ICO goes directly to the Treasury.
