British Airways fined £183 million for data leak
British Airways has been fined a record £183 million by the Information Commissioner’s Office after a major security breach in 2018 compromised the details of 500,000 customers.
British Airways chairman and chief executive Alex Cruz was “surprised and disappointed” at the extent of the penalty, following what the airline described as a “sophisticated, malicious criminal attack” by hackers.
The airline stated: ”British Airways responded quickly to a criminal act to steal customers' data.
"We have found no evidence of fraud or fraudulent activity on accounts linked to the theft.
"We apologise to our customers for any inconvenience this event caused.”
It is the largest fine ever imposed on a company under the ICO’s new GDPR rules, exceeding the £500,000 fine handed to social network Facebook for its role in the Cambridge Analytica scandal under former regulations. British Airways has 28 days to lodge an appeal.
The fine comes after the British Airways website was compromised, with users diverted to a fraudulent page. Hackers then used the fake website to steal personal information.
Information Commissioner Elizabeth Denham said: “People’s personal data is just that: personal. When an organisation fails to protect it from loss, damage or theft, it is more than an inconvenience.
“The law is clear: when you are entrusted with personal data, you must look after it. Those that don’t will face scrutiny from my office to check they have taken appropriate steps to protect fundamental privacy rights”.
The breach first came to light on 6 September 2018, with British Airways estimating that around 380,000 transactions had been hijacked.
Compromised data included names, email addresses and credit card information, including card numbers, expiry dates and three-digit CVV codes.
The ICO believes that the data snatch began as early as June last year, with poor security measures meant to protect log in, payment card, and travel booking details alongside name and address information responsible for the breach.
The airline has not commented on whether any form of compensation has been paid out to victims, but those affected must lodge their own claims or face being out of pocket.
British Airways claims that it was fully compliant with the ICO investigation and that it has since made vast improvement to its security systems.
Willie Walsh, who heads the IAG company which owns the airline, also confirmed that the airline will be making representations to the watchdog.
He said: ”We intend to take all appropriate steps to defend the airline's position vigorously, including making any necessary appeals."