A data protection watchdog has issued a notice of its intention to fine British Airways £183.39million for infringements to GDPR.
The fine, issued by the Information Commissioner’s Office (ICO), is equivalent to 1.5% of British Airways’ worldwide turnover for the financial year which ended December 31 2017.
The proposed fine relates to a cyber incident notified to the ICO by British Airways in September 2018. The incident in part involved user traffic to the British Airways website being diverted to a fraudulent site.
Through this false site, customer details were harvested by cyberattackers. Personal data belonging to approximately 500,000 customers were compromised in this incident, which is believed to have begun in June 2018.
The ICO’s investigation found that a variety of information was compromised by ‘poor’ security arrangements at the company, including log in, payment card and travel booking details as well name and address information.
Information Commissioner Elizabeth Denham said: “People’s personal data is just that – personal. When an organisation fails to protect it from loss, damage or theft it is more than an inconvenience. That’s why the law is clear – when you are entrusted with personal data you must look after it. Those that don’t will face scrutiny from my office to check they have taken appropriate steps to protect fundamental privacy rights.”
British Airways has cooperated with the ICO investigation and has made improvements to its security arrangements since these events came to light. The company will now have opportunity to make representations to the ICO as to the proposed findings and sanction.
Alex Cruz, British Airways Chairman and Chief Executive, said: “We are surprised and disappointed in this initial finding from the ICO. British Airways responded quickly to a criminal act to steal customers’ data. We have found no evidence of fraud/fraudulent activity on accounts linked to the theft. We apologise to our customers for any inconvenience this event caused.”
Willie Walsh, International Airlines Group Chief Executive, said: “British Airways will be making representations to the ICO in relation to the proposed fine. We intend to take all appropriate steps to defend the airline’s position vigorously, including making any necessary appeals.”
ICO has been investigating the case as lead supervisory authority on behalf of other EU Member State data protection authorities.
It has also liaised with other regulators. Under the GDPR ‘one stop shop’ provisions the data protection authorities in the EU whose residents have been affected will also have the chance to comment on the ICO’s findings.
The ICO will consider carefully the representations made by the company and the other concerned data protection authorities before it takes its final decision.