BA facing £183 million ICO fine for data breach
Written by Hannah McGrath
The owner of British Airways (BA) is facing a £183.39 million fine from the Information Commissioner’s Office (ICO) over a data hack involving the details of around 500,000 customers.
The ICO this morning issued a notice of its intention to fine British Airways - owned by International Airlines Group- 1.5 per cent of British Airways’ worldwide turnover for 2017, under General Data Protection Regulation.
The ICO said its investigation into the breach, which was first disclosed in September 2018, had found that a variety of information had been compromised by “poor security arrangements at the company” including log in, payment card, and travel booking details as well name and address information.
The ICO said that the incident, thought to have begun in June 2018, in part involved attackers diverting user traffic from the British Airways website to a fraudulent site, which then harvested customer details.
BA initially said that the details of 380,000 customers had been compromised by the data theft between 21 August and 5 September, though it later revised down the figure for the breach involving users of its website and app to 244,000.
Commenting on the move to fine BA, Information Commissioner Elizabeth Denham said: "People's personal data is just that - personal.
"When an organisation fails to protect it from loss, damage or theft it is more than an inconvenience.
"That's why the law is clear - when you are entrusted with personal data you must look after it.
"Those that don't will face scrutiny from my office to check they have taken appropriate steps to protect fundamental privacy rights."
Willie Walsh, chief executive of International Airlines Group said that BA would be “making representations to the ICO” in relation to the proposed fine.
He added: “We intend to take all appropriate steps to defend the airline’s position vigorously, including making any necessary appeals.”
In its statement, the ICO said British Airways had cooperated with the its investigation and had made improvements to its security arrangements since these events came to light.
The company will now have opportunity to make representations to the ICO as to the proposed findings and sanction.
Alex Cruz, British Airways chairman and chief executive, said: “We are surprised and disappointed in this initial finding from the ICO. British Airways responded quickly to a criminal act to steal customers’ data. We have found no evidence of fraud or fraudulent activity on accounts linked to the theft. We apologise to our customers for any inconvenience this event caused.”