British Airways (BA) has been hit by a GDPR fine of £183.39 million by the UK Information Commissioners Office (ICO) for a 2018 data breach.
The ICO investigation revealed that hackers stole the data of more than half a million BA customers, including sensitive information such as login credentials, payment card numbers, names, and addresses.
The ICO stated that BA had ‘poor security arrangements’ in place and did not adequately mitigate the risk of an attack. The ICO did not issue the fine for the breach itself, but for the security failings that caused it.
Hackers exploit flaws in BA’s website to install code to divert customers to a fraudulent website which they used to harvest customer’s sensitive information.
The breach started in June 2018, less than a month after the GDPR was implemented. GDPR introduced tough new privacy and security requirements for organisations to protect consumers against data misuse. GDPR also increased the penalties that could be levied against organisations for failing to adhere to these standards.
The maximum GDPR penalty is reserved for the most severe of violations and amounts to €20 million or 4% of the organisation’s global annual turnover. The £183.39 million penalty faced by BA corresponds to approximately 1.5% of their annual turnover.
This fine is the largest of its kind ever issued; the next-largest is the £500,000 fine Facebook faced following the Cambridge Analytica scandal. BA has the opportunity to appeal the fine.
BA discovered the breach on September 5, 2018, and reported it to the ICO a day later. GDPR requires entities organisations experiencing a data breach to report the incident within 72 hours of its discovery.
The ICO has only issued a ‘Notice of Intent’ to fine BA. BA now has 28 days in which to launch an appeal. Willie Walsh, the chief executive of BA’s parent company IAG, stated that they ‘intend to take all appropriate steps to defend the airline’s position vigorously, including making any necessary appeals.’
“We are surprised and disappointed in this initial finding from the ICO,” said Alex Cruz, the chair and chief executive of British Airways. “British Airways responded quickly to a criminal act to steal customers’ data. We have found no evidence of fraud/fraudulent activity on accounts linked to the theft. We apologise to our customers for any inconvenience this event caused.”
BA has since stated that is has implemented measures to improve its website security and prevent such an incident from occurring again.