The U.K. Information Commissioner’s Office (ICO) has fined British Airways over £183m for a data breach involving the theft of more than half a million users’ data, including login info, card information, names, addresses and booking information, according to a report by The Guardian.
Hackers used a fake website to trick bookers, and the ICO said the British Airways had “poor security arrangements,” essentially allowing the breach, which started in June of 2018, to happen.
“People’s personal data is just that — personal,” said Elizabeth Denham, information commissioner. “When an organisation fails to protect it from loss, damage or theft, it is more than an inconvenience. The law is clear: when you are entrusted with personal data, you must look after it. Those that don’t will face scrutiny from my office to check they have taken appropriate steps to protect fundamental privacy rights.”
The fine amounts to about 1.5 percent of the airline’s £11.6bn turnover in 2018, which is in line with General Data Protection Regulation rules.
“We are surprised and disappointed in this initial finding from the ICO,” said Alex Cruz, the chair and chief executive of British Airways. “British Airways responded quickly to a criminal act to steal customers’ data. We have found no evidence of fraud (or) fraudulent activity on accounts linked to the theft. We apologize to our customers for any inconvenience this event caused.”
The airline said it has strengthened its online security, and it can appeal the decision before the ICO makes a final determination.
“British Airways will be making representations to the ICO in relation to the proposed fine,” said Willie Walsh, the chief executive of BA’s parent company, International Airlines Group (IAG). “We intend to take all appropriate steps to defend the airline’s position vigorously, including making any necessary appeals.”
One analyst, George Salmon of the Hargreaves Lansdown financial services company, said that the penalty could be potentially significant to the IAG’s financial outlook.
“The fine serves as a reminder that while one might think of data risks as more relevant to the likes of Google, Facebook and other tech giants, the new rules cover any business with customer data on board,” he said. “£183m will make a pretty big dent in next year’s numbers, but IAG should be able to withstand its impact as it is less than 10 percent of expected net profits and could yet be reduced on appeal.”