The UK Information Commissioner’s Office has fined British Airways (BA) £183.39 million for cybersecurity failings related to a 2018 data breach.
More than half a million BA customers had their sensitive information compromised when a hacker hijacked BA’s website. The ICO investigation revealed that the hacker could have accessed sensitive information such as login credentials, payment card numbers, names, and addresses. This information has a high black-market value due to its potential use in fraudulent activities.
The ICO found that BA did not adequately protect consumer information as they had ‘poor security arrangements’.
The breach occurred through BA’s website; hackers installed code to divert customers to a fraudulent website. Hackers were then able to harvest customer’s sensitive information when they entered it into the fake website.
The investigation revealed that hackers first compromised BA’s website on June 2018, less than a month after the GDPR was implemented. GDPR introduced strict new privacy and security requirements for organisations to protect consumers against data misuse. GDPR also increased the penalties that could be levied against organisations for failing to adhere to these standards.
The maximum GDPR penalty is reserved for the most severe of violations and amounts to €20 million or 4% of the organisation’s global annual turnover. The £183.39 million penalty faced by BA corresponds to approximately 1.5% of their annual turnover. Had BA’s parent company, International Airlines Group (IAG) been fined instead, the maximum fine would have been closer to £500 million.
This fine is the largest of its kind ever issued; the next-largest is the £500,000 fine Facebook faced following the Cambridge Analytica scandal. BA has the opportunity to appeal the fine.
BA discovered the breach on September 5, 2018, and reported it to the ICO a day later. GDPR requires entities organisations experiencing a data breach to report the incident within 72 hours of its discovery.
The ICO has only issued a ‘Notice of Intent’ to fine BA, against which BA has 28 days to launch an appeal. Willie Walsh, the chief executive of BA’s parent company IAG, stated that they ‘intend to take all appropriate steps to defend the airline’s position vigorously, including making any necessary appeals.’
“We are surprised and disappointed in this initial finding from the ICO,” said Alex Cruz, the chair and chief executive of British Airways. “British Airways responded quickly to a criminal act to steal customers’ data. We have found no evidence of fraud/fraudulent activity on accounts linked to the theft. We apologise to our customers for any inconvenience this event caused.”
BA has since stated that is has implemented measures to improve its website security and prevent such an incident from occurring again.