British Airways has been issued a record £183.39M fine by Information Commissioner’s Office (ICO) for its failures in complying by General Data Protection Regulation (GDPR).
This follows an “extensive investigation” by the ICO into an incident that dates back to 2018.
Users of the British Airways website were diverted to a fake, fraudulent domain that ultimately led to customer details being stolen by attackers – with an approximate 500,000 customers having their personal data compromised.
Information Commissioner Elizabeth Denham commented: “People’s personal data is just that – personal. When an organisation fails to protect it from loss, damage or theft it is more than an inconvenience.
“That’s why the law is clear – when you are entrusted with personal data you must look after it. Those that don’t will face scrutiny from my office to check they have taken appropriate steps to protect fundamental privacy rights.”
The investigation found a range of information was exposed by “poor security arrangements.”
The scope of information compromised includes: customer login, payment card, travel bookings, names and addresses of customers.
ICO stated that British Airways has cooperated to support the investigation and has already made improvements to its security arrangements since these events.
The company will now have the opportunity to make representations to the ICO as to the proposed findings and sanction.
British Airways’ chairman and chief executive Alex Cruz said the company is “surprised and disappointed” by the ICO’s initial judgement.
He noted: “British Airways responded quickly to a criminal act to steal customers’ data. We have found no evidence of fraud/fraudulent activity on accounts linked to the theft.
“We apologise to our customers for any inconvenience this event caused.”
