British Airways, owned by the International Airlines Group (IAG), is facing a fine of more than £183 million from the UK Information Commissioner’s Office (ICO) after hackers stole the personal data of about half a million of the airline’s customers last year, according to the BBC. The ICO said that following an extensive investigation, it found that customer details including login, payment card, name, address and travel booking information were harvested by diverting customers to a fraudulent website, and added that the breach occurred because of BA’s “poor security arrangements” to protect customer information. The incident was first disclosed on September 6, 2018 and BA had initially said that the data of about 380,000 users was compromised. However, it was later found out that another 185,000 customers may have had their personal details stolen as well.

“People’s personal data is just that – personal. When an organisation fails to protect it from loss, damage or theft it is more than an inconvenience. That’s why the law is clear – when you are entrusted with personal data you must look after it. Those that don’t will face scrutiny from my office to check they have taken appropriate steps to protect fundamental privacy rights” – Elizabeth Denham, Information Commissioner

Biggest fine for data breach since GDPR kicked in

The fine — which amounts to 1.5% of BA’s total revenues for the year that ended December 31, 2017 — is the highest-ever that the ICO has imposed on a company for a data breach. Before this, its highest penalty for a data breach was the £500,000 fine imposed on Facebook in October 2018, over the Cambridge Analytica scandal. However, Facebook was tried under UK’s old Data Protection Act 1998 since the scandal broke out in March 2018, months before the implementation of GDPR in May 2018. The proposed fine on BA is 367 times higher, even though the Cambridge Analytica scandal involved a much larger breach (87 million accounts were compromised). GDPR rules make it mandatory to report data breaches to the information commissioner. According to the GDPR website:

There are two tiers of administrative fines that can be levied for non-compliance with GDPR:

  • Up to €10 million, or 2% annual global turnover – whichever is greater; or
  • Up to €20 million, or 4% annual global turnover – whichever is greater.

‘Surprised and disappointed,’ says BA

Following the ICO’s statement, Alex Cruz, British Airways chairman and chief executive said that the airline responded quickly to the data breach and found that no fraudulent activity was carried out with the compromised data. The fine thus left BA “surprised and disappointed”. However, Willie Walsh, International Airlines Group chief executive, hinted that the group would appeal against the fine and said that BA would be “making representations to the ICO in relation to the proposed fine”.