Following a major customer data breach last September, the Information Commissioner’s Office (ICO) has announced it plans to fine the airline more than £183 million under the new Data Protection Act.
This is the largest penalty ever dolled out, roughly 367 times as high as the previous record, and the first to be made public under the new rules, according to the watchdog.
Previously, the largest penalty issued (£500,000) was imposed on Facebook for its part in the Cambridge Analytica data scandal. At the time that figure was the maximum fine permitted before the new General Data Protection Regulation (GDPR) came into effect.
- Russian Hackers Flog Almost 25,000 British Airways Customers’ Details
- British Airways Cyber Attack Much Worse Than Previously Thought
- British Airways Boss Apologises Over Cyber Attack
Willie Walsh, CEO of International Airlines Group, British Airways’ (BA) parent company has said the organisation will “defend the airline’s position vigorously, including making any necessary appeals”.
The company now has 28 days to appeal the ICO’s decision. Potentially, had the ICO imposed the highest penalty of 4% of turnover, BA would have faced a fine approaching £500m.
In September 2018, British Airways’ chairman and chief executive, Alex Cruz disclosed that the airline had been the victim of “a very sophisticated, malicious attack,” which saw the personal and financial details of around 500,000 of its customers lifted by hackers.
Information Commissioner Elizabeth Denham said: “People’s personal data is just that – personal. When an organisation fails to protect it from loss, damage or theft, it is more than an inconvenience.
“That’s why the law is clear – when you are entrusted with personal data, you must look after it. Those that don’t will face scrutiny from my office to check they have taken appropriate steps to protect fundamental privacy rights.”
According to the ICO, the breach was due to poor security measures at BA, including login, payment card, and travel booking details as well as name and address information.
BA’s chairman and chief executive, Alex Cruz said of the initial finding that he was “surprised and disappointed”. “British Airways responded quickly to a criminal act to steal customers’ data. We have found no evidence of fraud/fraudulent activity on accounts linked to the theft. We apologise to our customers for any inconvenience this event caused,” he said.