After a breach of its security systems last year, British Airways
is facing a fine of £183 million ($228.9 million) from the Information
Commissioner’s Office—the biggest penalty the ICO has ever issued and the first
it has made public under new GDPR rules.
The ICO said that the security incident took place after
British Airways’ website users were diverted to a fraudulent site, which
enabled hackers to harvest details of about 500,000 customers.
The incident was disclosed on 6 September 2018, but the ICO
said the incident began in June 2018. According to the Verizon 2019 Data Breach Investigations Report, this timeframe is not unusual—while the time from an
initial attack to a compromise is quite short, the time from compromise to
discovery is likely to be months.
A variety of information was compromised, including login,
payment card, and travel booking details, as well as name and address
information, according to the BBC. The ICO noted that British Airways
cooperated with the investigation and made improvements to its security
Until this point, the largest penalty in the UK was £500,000—the
maximum allowed under pre-GDPR data protection rules—imposed on Facebook for
the Cambridge Analytica data scandal. The maximum penalty under GDPR is 4
percent of turnover, but the British Airways penalty amounts to 1.5 percent of its
worldwide turnover in 2017.
British Airways has 28 days to appeal the decision, and the
company’s chairman and chief executive Alex Cruz said the airline was “surprised
and disappointed” in the ICO’s finding. “British Airways responded quickly to a
criminal act to steal customers’ data. We have found no evidence of fraud/fraudulent
activity on accounts linked to the theft. We apologize to our customers for any
inconvenience this event caused,” he said.
Information Commissioner Elizabeth Denham said: “People’s personal
data is just that—personal. When an organization fails to protect it from loss,
damage, or theft, it is more than an inconvenience. That’s why the law is clear—when
you are entrusted with personal data, you must look after it. Those that don’t
will face scrutiny from my office to check they have taken appropriate steps to
protect fundamental privacy rights.”
more about post-GDPR fines in this article from the May 2019 issue of Security Management.