GDPR bites as BA faces £183m fine for data breach
ICO blames security failings for airline's massive data breach last year
British Airways faces a £183.39m fine under GDPR for the massive data breach it suffered last year.
The penalty is the biggest so far to be doled out by the Information Commissioner's Office (ICO) and the first to be made public since the regulation came into effect in May 2018.
The ICO investigation into the breach - which it found started in June 2018 rather than BA's initial claim that it began in August - discovered that a variety of customer information was "compromised" by poor security arrangements at the company, including log on, payment card, travel booking details and names and addresses of its website's users.
The incident involved user traffic to BA's website being diverted to a fraudulent site, which allowed the personal details of approximately 500,000 customers to be harvested by attackers, the regulator added.
"People's personal data is just that - personal," said Elizabeth Denham, information commissioner.
"When an organisation fails to protect it from loss, damage or theft it is more than an inconvenience. That's why the law is clear - when you are entrusted with personal data you must look after it.
"Those that don't will face scrutiny from my office to check they have taken appropriate steps to protect fundamental privacy rights."
Under GDPR, a company can be fined up to four per cent of its annual revenue if found to be in breach of the regulation. The proposed penalty for BA is one and a half per cent of its total turnover for 2017.
BA has cooperated fully with the ICO and has improved its security since the incident, according to the regulator.
Alex Cruz, chair and chief exec of the airline, said he is "surprised and disappointed" by the findings of the ICO.
"British Airways responded quickly to a criminal act to steal customers' data," he stated.
"We have found no evidence of fraud/fraudulent activity on accounts linked to the theft. We apologise to our customers for any inconvenience this event caused."
British Airways is owned by parent company IAG, which vowed to contest the multimillion-pound fine.
"Willie Walsh, CEO of IAG, said: "British Airways will be making representations to the ICO in relation to the proposed fine.
"We intend to take all appropriate steps to defend the airline's position vigorously, including making any necessary appeals."