The UK’s data protection authority plans to levy a £183.4 million ($230 million) fine on British Airways over the theft of passenger data in 2018, the largest ever penalty proposed by the country’s Information Commissioner’s Office (ICO) since the EU’s updated General Data Protection Regulation (GDPR) came into force last May. The proposed fine represents 1.5 percent of the London-based airline’s worldwide revenue in 2017, though it could have proven much worse because penalties for GDPR non-compliance can reach 4 percent of annual global revenue—£488 million in BA’s case.
Still, Willie Walsh, CEO of BA parent International Airlines Group (IAG), on Monday vowed the company intends “to take all appropriate steps to defend the airline’s position vigorously, including making any necessary appeals.” BA will be making “representations” to the ICO in relation to the proposed fine, he noted. It has 28 days to do so.
In the joint statement, British Airways CEO Alex Cruz said the carrier is “surprised and disappointed” in the initial finding from the ICO. “British Airways responded quickly to a criminal act to steal customers’ data,” he insisted. “We have found no evidence of fraud [or] fraudulent activity on accounts linked to the theft.”
The airline disclosed last September that hackers had stolen personal and financial details from about 380,000 customers who booked on its website and mobile app from August 21 until September 5. In an update at the end October, it revealed that hackers might have accessed the names, billing addresses, email addresses, and card payment information (including card number, expiration date, and some CVV codes) of 185,000 passengers making reward bookings between April 21 and July 28, 2018.
The ICO on Monday said it found that a variety of information was compromised by “poor security arrangements” at BA. Hackers diverted personal data—including login, payment card, and travel booking details as well name and address information—of approximately 500,000 customers from the BA website to a fraudulent site, according to the ICO. The incident likely began in June 2018, it concluded.
“People’s personal data is just that—personal,” Information Commissioner Elizabeth Denham commented. “When an organization fails to protect it from loss, damage, or theft, it is more than an inconvenience. That’s why the law is clear; when you are entrusted with personal data you must look after it. Those that don’t will face scrutiny from my office to check they have taken appropriate steps to protect fundamental privacy rights.”
British Airways has cooperated with the ICO investigation and has made improvements to its security arrangements since these events came to light, the ICO said.
It added it will consider “carefully” the representations made by BA as regards the proposed findings and sanction before it takes its final decision. Under the GDPR “one-stop shop” provisions, the data protection authorities in the EU whose residents have been affected will also have the chance to comment on the ICO’s findings.
The ICO investigated the BA GDPR infringement case as lead supervisory authority on behalf of other EU member country data protection authorities. It has also liaised with other regulators.