The owner of British Airways has pledged to 'defend the airline’s position vigorously' against a proposed record-breaking £183m fine for breaches of data protection law.
The Information Commissioner's Office (ICO) said it had issued a notice of its intention to fine BA £183.39m for infringements of the General Data Protection Regulation (GDPR) in relation to a cyber incident notified by the airline in September 2018.
The fine dwarfs any previous penalty for a data protection infringement and represents 1.5% of BA’s worldwide turnover for 2017.
The ICO said the incident in part involved user traffic to the BA website being diverted to a fraudulent site, through which customer details were harvested by the attackers. Personal data of approximately 500,000 customers was compromised in the incident, which is believed to have begun in June 2018.
It said its investigation ‘found that a variety of information was compromised by poor security arrangements at the company, including log in, payment card, and travel booking details as well name and address information’.
Information Commissioner Elizabeth Denham said: 'People’s personal data is just that – personal. When an organisation fails to protect it from loss, damage or theft it is more than an inconvenience. That’s why the law is clear – when you are entrusted with personal data you must look after it.‘
BA chairman and chief executive Alex Cruz said the firm was ‘surprised and disappointed’ by the initial ruling as it had responded quickly to a criminal act to steal customers’ data and found no evidence of fraudulent activity on accounts linked to the theft.
Willie Walsh, chief executive of BA owner International Airlines Group, said: ‘British Airways will be making representations to the ICO in relation to the proposed fine. We intend to take all appropriate steps to defend the airline’s position vigorously, including making any necessary appeals.’
The ICO said BA had co-operated with its investigation and made improvements to its security arrangements since the hack came to light and will now have opportunity to make representations to it as to the proposed findings and sanction.