BA faces record £183m GDPR fine
British Airways (BA) is facing a potential fine of £183.39m for infringements of the general data protection regulation (GDPR), following an extensive investigation by the Information Commissioner’s Office (ICO) into a cyber incident the airline notified in September 2018
8 Jul 2019
The record-breaking fine represents 1.5% of British Airways' worldwide turnover for the financial year ended 31 December 2017.
This incident was believed to have begun in June 2018, and in part involved user traffic to the BA website being diverted to a fraudulent site, which was used by cyber hackers to harvest customer details. As a result, the personal data of approximately 500,000 customers were at risk.
BA initially disclosed in September 2018 that hackers had stolen data relating to about 380,000 customers from its website and mobile app during a two-week period beginning on August 21, at the height of the summer holiday season.
Subsequently it went on to declare in October that it was notifying the holders of 77,000 payment cards, not previously notified, that the name, billing address, email address, card payment information, including card number, expiry date and CVV have potentially been compromised, and a further 108,000 without CVV. The potentially impacted customers were those making reward bookings between April 21 and July 28, 2018, and who used a payment card.
The ICO’s investigation found that a variety of information was compromised by poor security arrangements at the company, including log in, payment card, and travel booking details as well name and address information.
Elizabeth Denham, Information Commissioner, said: ‘People’s personal data is just that – personal. When an organisation fails to protect it from loss, damage or theft it is more than an inconvenience. That’s why the law is clear – when you are entrusted with personal data you must look after it. Those that don’t will face scrutiny from my office to check they have taken appropriate steps to protect fundamental privacy rights.’
The ICO said BA had cooperated with its investigation and has made improvements to its security arrangements since these events came to light. The company will now have opportunity to make representations to the ICO as to the proposed findings and sanction.
Alex Cruz, BA chairman and chief executive, said: ‘We are surprised and disappointed in this initial finding from the ICO.
‘British Airways responded quickly to a criminal act to steal customers' data. We have found no evidence of fraud/fraudulent activity on accounts linked to the theft.’
Willie Walsh, chief executive of parent company International Airlines Group, said: ‘British Airways will be making representations to the ICO in relation to the proposed fine. We intend to take all appropriate steps to defend the airline's position vigorously, including making any necessary appeals.’
ICO has been investigating this case as lead supervisory authority on behalf of other EU member state data protection authorities. It has also liaised with other regulators. Under the GDPR ‘one stop shop’ provisions the data protection authorities in the EU whose residents have been affected will also have the chance to comment on the ICO’s findings.