British Airways (BA) has been hit with a record fine of £183m as a result of a massive customer data breach last year.
BA’s owner, IAG, said it is “surprised and disappointed” by the financial penalty imposed by the Information Commissioner’s Office (ICO).
At the time of the security breach, BA reported that hackers had carried out a “sophisticated, malicious criminal attack” on its website.
The ICO said the fine was the biggest penalty ever handed out, and the first to be made public under new rules.
According to the ICO, the breach took place after users of British Airways’ official website were diverted to a fraudulent site, where details of approximately half a million customers were harvested by the attackers. The ICO said the incident was believed to have begun in June 2018.
Information Commissioner Elizabeth Denham said:
People’s personal data is just that – personal. When an organization fails to protect it from loss, damage or theft, it is more than an inconvenience. …That’s why the law is clear – when you are entrusted with personal data, you must look after it. Those that don’t will face scrutiny from my office to check they have taken appropriate steps to protect fundamental privacy rights.
When the breach was first disclosed on 6 September 2018, BA initially said approximately 380,000 transactions were affected, but the stolen data did not include travel or passport details. Information included names, email addresses, credit card information such as credit card numbers, expiry dates and the three-digit CVV code found on the back of credit cards, although BA has said it did not store CVV numbers.
The ICO said a variety of information was “compromised” by poor security arrangements at the company, including log in, payment card, and travel booking details as well name and address information.
The watchdog said BA had co-operated with its investigation and has since made improvements to its security arrangements.
The fine imposed on BA is the first penalty to be made public since the General Data Protection Regulation (GDPR) came into force in May 2018, making it mandatory to report data security breaches to the ICO.
Although the GDPR stipulates a maximum penalty to 4% of annual turnover, the BA penalty amounts to 1.5% of its worldwide turnover in 2017.
The biggest penalty to date was £500,000, imposed on Facebook for its involvement in the Cambridge Analytica data scandal – the maximum allowed under the old Data Protection Act that was in force prior to the GDPR.