British Airways is to be fined more than £183m by the Information Commissioner’s Office after hackers stole the personal data of half a million of the airline’s customers.
The ICO said its extensive investigation found that the incident involved customer details including login, payment card, name, address and travel booking information being harvested after being diverted to a fraudulent website.
The ICO said that data breach, which began in June 2018, occurred because British Airways had “poor security arrangements” in place to protect customer information being accessed.
“People’s personal data is just that – personal,” said the information commissioner, Elizabeth Denham. “When an organisation fails to protect it from loss, damage or theft it is more than an inconvenience. The law is clear, when you are entrusted with personal data you must look after it. Those that don’t will face scrutiny from my office to check they have taken appropriate steps to protect fundamental privacy rights.”
The £183.4m fine, the first the ICO has proposed under the new General Data Protection Regulation (GDPR), amounts to about 1.5% of British Airways’ £11.6bn worldwide turnover last year.
“We are surprised and disappointed in this initial finding from the ICO,” said Alex Cruz, the chair and chief executive of British Airways. “British Airways responded quickly to a criminal act to steal customers’ data. We have found no evidence of fraud/fraudulent activity on accounts linked to the theft. We apologise to our customers for any inconvenience this event caused.”
British Airways, which has since bolstered its web security, can appeal against the findings and scale of the fine before a final decision by the ICO.
Following disclosure of the hack, BA promised to compensate affected customers and took out full-page adverts in the UK newspapers to apologise to passengers.
It had meanwhile described the mass theft as “a very sophisticated, malicious, criminal attack on our website”.
IAG is the owner of five airlines, including also Aer Lingus, Iberia, Level and Vueling, none of which were affected by the hack.
GDPR establishes the key principle that individuals must explicitly grant permission for their data to be used.
The case for the new rules had been boosted by a scandal over the harvesting of Facebook users’ data by Cambridge Analytica, a US-British political research firm, for the 2016 US presidential election.