The Information Commissioner’s Office (ICO) is fining British Airways £183 million over a major data breach in which hackers carried out a “sophisticated, malicious criminal attack on its website, stole half a million customers’ personal data.
The fine is the biggest the ICO had handed out and the first to be made public under new rules.
According to the investigation, the incident begun when British Airways passengers were diverted to a fraudulent website where they were duped into entering their personal information. BA disclosed the incident in 6 September 2018 confirming that approximately 380,000 transactions were affected but the stolen data did not include travel or passport details.
One of BA’s customers, David Champion, said that the data breach could possibly be the reason why his credit card was used fraudulently.
“BA are claiming there were no fraudulent transactions from the leak. My card details, I don’t think, weren’t exposed anywhere else,” he told the BBC.
The transaction was rejected and Mr Champion was not left out of pocket.
“BA contacted me in August/September about the breach, that addresses and emails were leaked. Later they said credit card details were too,” he added.
The ICO said that due to BA’s poor security arrangements, passengers’ information, which include log in, payment card, travel booking details, addresses and names were compromised. It added that BA had made improvements to its security arrangements and had co-operated with its investigation.
The penalty imposed on BA is the first to be made since the General Data Protection Regulation (GDPR) came into force last year. It represents BA’s 1.5per cent worldwide turnover in 2017. ICO’s maximum penalty is 4per cent of turnover. The maximum allowed under the old data protection rules is £500,000, which was imposed on Facebook for its role in the Cambridge Analytica Data Scandal.
BA, through a statement, has confirmed that they will appeal the decision.
“We intend to take all appropriate steps to defend the airline’s position vigorously, including making any necessary appeals,” he said.
Alex Cruz, British Airways’ chairman and chief executive, said the airline was “surprised and disappointed” in the ICO’s initial finding.
“British Airways responded quickly to a criminal act to steal customers’ data. We have found no evidence of fraud/fraudulent activity on accounts linked to the theft.
“We apologise to our customers for any inconvenience this event caused.”
Register to claim a free website security check.