British Airways faces a fine of more than £183 million following the theft of customer data from its website last year.
The airline revealed today that it had received a penalty notice from the UK Information Commissioner’s Office (ICO) and that it plans to appeal.
The ICO has indicated that it proposes to impose a penalty of £183,390,000 – equivalent to 1.5% of BA’s worldwide turnover for the 2017 financial year.
The proposed penalty relates to a data breach disclosed on September 6 and October 25, 2018 affecting an estimated 500,000 customers.
Podcast: Is the aviation sector in turmoil?
The hack hit 380,000 direct customer transactions.
The penalty notice is to be issued under the UK Data Protection Act.
The ICO said it was the biggest penalty it had ever handed out and the first to be made public under new rules.
The General Data Protection Regulation (GDPR) came into force last year and was the biggest change to data privacy in 20 years.
BA has 18 days to appeal.
BA chairman and chief executive Alex Cruz said: “We are surprised and disappointed in this initial finding from the ICO.
“British Airways responded quickly to a criminal act to steal customers’ data. We have found no evidence of fraud/fraudulent activity on accounts linked to the theft.
“We apologise to our customers for any inconvenience this event caused.”
Willie Walsh, chief executive of parent company International Airlines Group, said: “British Airways will be making representations to the ICO in relation to the proposed fine.
“We intend to take all appropriate steps to defend the airline’s position vigorously, including making any necessary appeals.”
The ICO said that the proposed fine related to a cyber incident in September 2018.
The incident in part involved user traffic to the BA website being diverted to a fraudulent site.
“Through this false site, customer details were harvested by the attackers. Personal data of approximately 500,000 customers were compromised in this incident, which is believed to have begun in June 2018,” the ICO said.
“The ICO’s investigation has found that a variety of information was compromised by poor security arrangements at the company, including log in, payment card, and travel booking details as well name and address information.”
Information commissioner Elizabeth Denham said: “People’s personal data is just that – personal. When an organisation fails to protect it from loss, damage or theft it is more than an inconvenience.
“That’s why the law is clear – when you are entrusted with personal data you must look after it. Those that don’t will face scrutiny from my office to check they have taken appropriate steps to protect fundamental privacy rights.
“BA has co-operated with the ICO investigation and has made improvements to its security arrangements since these events came to light.”
The carrier will now have opportunity to make representations to the ICO as to the proposed findings and sanction, the ICO added.
Rachel Aldighieri, managing director of the Data & Marketing Association, said:“This is the first fine the ICO has announced under the new GDPR laws and the level of the proposed fine is unprecedented in the UK, highlighting the importance all businesses should place on the security of customers’ data.
“Data is a fundamental part of the digital economy, so maintaining its security must be a business imperative. Trust in how brands collect, store and use data is essential to the relationship between businesses and their customers.
“The risks to BA go beyond the potential fines regulators can issue too, the long-term effects on customer trust, share price and public perception could have more lasting damage.”
Emma Roe, partner and head of commercial at Shulmans LLP, said: “The ICO aren’t going to let an organisation off the hook for the breach being the work of an external party or because that organisation is the victim of a criminal hack.
“This type of breach doesn’t absolve any business from having appropriate security in place to protect the data it holds.
“However, it’s probably that fact of this breach being the result of external hackers which has led to this fine being 1.5% of turnover rather than the maximum of 4% of worldwide turnover, which the ICO is entitled to fine.
“Clearly the ICO have left themselves room to issue bigger fines when they find culprits with even less of a handle on their data use and security.
“The ICO will be looking at the proportionality of the security in place, so the message here being that BA’s protection of its customers data was simply not good enough, bearing in mind its available resources and the nature of the personal data it holds about its customers.
“This level of fine may indicate that the ICO felt there was additional security which BA could and should have had in place to prevent this particular hack.
“The timing of this fine confirms it’s taken almost the 12 months that most experts predicted from GDPR coming into effect in the UK in May 2018 to an investigation being completed and resulting in a fine.
“This is just the start of the fines we’re likely to see under the new laws.”
Kingsley Hayes, managing director at data breach and cyber security specialist Hayes Connor Solicitors, said his firm was representing hundreds of BA customers whose personal information was violated – including login details, payment card information, names and addresses.
He added: “The ICO has sent a clear message to all businesses – follow the law and protect customers’ personal information or pay a hefty penalty.
“Placed in the wrong hands, these details can be used to obtain credit fraudulently causing havoc, significant financial loss and psychological distress to those affected. Reports state that the international airline will be appealing the decision claiming that it had found no evidence of any financial loss to date as a result of the harvesting of 500,000 customers’ details.
“It is unlikely that this appeal will stand as hackers with this much stolen data are likely to use it in batches over time. In the meantime, the stress and anxiety suffered by affected customers is significant.
“Organisations have a legal obligation to take all the necessary measures to adequately protect the personal information held by them – this includes implementing robust cyber security to prevent hackers from obtaining private data as was the case with British Airways.”