British Airways faces a record fine of £183.39 million for a data breach which happened last year. Following an extensive investigation the Information Commissioner’s Office (ICO) has issued a notice of its intention to fine British Airways £183.39M for infringements of the General Data Protection Regulation (GDPR).
Confidential information of about 500,000 British Airways customers was harvested by hackers as a result of poor security practices by the airline.
The information leaked included people’s names, email addresses, credit card information such as credit card numbers, expiry dates and the three-digit CVV codes. The airlines also said that the stolen data did not include travel or passport details.
The ICO says that the incident was believed to have begun in June 2018, and a variety of information was “compromised” due to the poor security arrangements at the company.
The ICO also says that it is the biggest penalty it has handed out and the first to be made public under the new General Data Protection Regulation (GDPR), which came into effect in May last year.
Information Commissioner Elizabeth Denham said:
“People’s personal data is just that – personal. When an organisation fails to protect it from loss, damage or theft, it is more than an inconvenience. That’s why the law is clear – when you are entrusted with personal data, you must look after it. Those that don’t will face scrutiny from my office to check they have taken appropriate steps to protect fundamental privacy rights,”
According to the ICO, British Airways has cooperated with the ICO investigation and has made improvements to its security arrangements since these events came to light. The company will now have opportunity to make representations to the ICO as to the proposed findings and sanction.
At this stage the fine is merely a notice of intention by the ICO and the company will now have opportunity to make representations to the ICO as to the proposed findings and sanction. The ICO will consider carefully the representations made by the company and the other concerned data protection authorities before it takes its final decision.
The airline says it is “surprised and disappointed” by the penalty from the watchdog.