The UK's ICO has issued British Airways with a record fine of £183m for a data breach last year. The penalty is the first to be made public under new rules following the enactment of GDPR, and dwarfs the previous maximum of £0.5m.
The airline's web site was hacked in what it described as a 'sophisticated, malicious criminal attack', said to have taken place last June, with users diverted to a fraudulent site, which harvested details from about 500,000 customers. When it was disclosed on 6th September, BA said around 380,000 transactions were affected, with data stolen including names, email addresses, three key pieces of credit card information, but not travel or passport details.
The ICO complained of poor security arrangements at the company, although it concedes that BA co-operated with its investigation and has made improvements to its security arrangements.
Chairman and CEO Alex Cruz says the firm is 'surprised and disappointed' by the penalty from the ICO (Information Commissioner's Office), and states: 'British Airways responded quickly to a criminal act to steal customers' data. We have found no evidence of fraud/fraudulent activity on accounts linked to the theft. We apologise to our customers for any inconvenience this event caused'. British Airways now has 28 days to appeal, and Willie Walsh, CEO of its parent IAG, says it 'intends to take all appropriate steps to defend its airline's position vigorously, including making any necessary appeals'.
Quoted on www.bbc.co.uk , Information Commissioner Elizabeth Denham said: 'People's personal data is just that - personal. When an organisation fails to protect it from loss, damage or theft, it is more than an inconvenience. That's why the law is clear - when you are entrusted with personal data, you must look after it. Those that don't will face scrutiny from my office to check they have taken appropriate steps to protect fundamental privacy rights'.
Since May last year the maximum penalty for breaches has been raised to 4% of turnover, and today's penalty is 1.5% of BA's in 2017. However it's 366 times the fine issued to Facebook for its role in the Cambridge Analytica data scandal, which was the maximum previously allowed.
Web site: www.ico.org.uk .
All articles 2006-20 written and edited by Mel Crowther and/or Nick Thomas unless otherwise stated.