BY Richard Summerfield
British Airways is to be fined £183.39m by the UK’s Information Commissioner’s Office (ICO) for data protection breaches.
The fine, as set forth by the ICO, will be the largest penalty handed down since the implementation of the European Union’s (EU’s) General Data Protection Regulation (GDPR). The regulator said the company will have a chance to contest the proposed fine, which is roughly 1.5 percent of airline’s annual revenue of £11.6bn worldwide in 2018, well below the maximum rate of 4 percent that can be applied under the GDPR.
According to the ICO, weak security on the airline’s website allowed users to be diverted away to a fraudulent page, starting in June 2018. The ICO’s investigation found that the incident involved customer details including login, payment card, name, address and travel booking information of around 500,000 users had been harvested.
“People’s personal data is just that – personal,” said Information Commissioner Elizabeth Denham. “When an organisation fails to protect it from loss, damage or theft it is more than an inconvenience. That’s why the law is clear – when you are entrusted with personal data you must look after it. Those that don’t will face scrutiny from my office to check they have taken appropriate steps to protect fundamental privacy rights.”
British Airways, which has subsequently improved its security protocols, has said it will fight the ruling. The airline can appeal against the findings and scale of the fine before a final decision by the ICO. “We are surprised and disappointed in this initial finding from the ICO,” said Alex Cruz, the chair and chief executive of British Airways. “British Airways responded quickly to a criminal act to steal customers’ data. We have found no evidence of fraud/fraudulent activity on accounts linked to the theft. We apologise to our customers for any inconvenience this event caused.”
The ICO noted: “British Airways has cooperated with the ICO investigation and has made improvements to its security arrangements since these events came to light. The company will now have opportunity to make representations to the ICO as to the proposed findings and sanction.”