British Airways faces £183m GDPR fine over last year's security breach
British Airways faces record fine for data breach - the first to be levied under GDPR
The Information Commissioner's Office (ICO) is to fine British Airways £183.4 million over the payments system security breach last year. The fine is the first to be issued under GDPR.
BA chairman and CEO Alex Cruz said that the company would appeal. "We are surprised and disappointed in this initial finding from the ICO... British Airways responded quickly to a criminal act to steal customers' data," said Cruz in a statement.
Willie Walsh, the CEO of BA's owner International Airlines Group (IAG), said they will take all necessary steps to "defend the airline's position".
In its statement, the ICO announced its 'intention to fine' BA £183.4 million under the GDPR, representing 1.5 per cent of the company's annual turnover.
"Following an extensive investigation the ICO has issued a notice of its intention to fine British Airways £183.39M for infringements of the General Data Protection Regulation (GDPR)," the statement said.
"The ICO's investigation has found that a variety of information was compromised by poor security arrangements at the company, including log-in, payment card, and travel booking details as well name and address information.
"British Airways has cooperated with the ICO investigation and has made improvements to its security arrangements since these events came to light. The company will now have the opportunity to make representations to the ICO as to the proposed findings and sanction."
The penalty is by the biggest ever imposed by either the ICO or its predecessor organisation, the Data Protection Registrar. Under the old Data Protection Act of 1998, the maximum fine any organisation could face was £500,000, which could be reduced by 20 per cent for prompt payment.
Both Facebook and TalkTalk were fined the maximum under the old regime - Facebook for its spillage of details to Cambridge Analytic, and TalkTalk for its 2015 data breach.
BA's customer data breach was first disclosed on 6th September 2018 when the airline revealed that hackers had breached its computer systems to steal data relating to about 380,000 customers from its mobile app and website. The airline said that the hacking campaign started on 21st August and lasted for about two weeks.
That 'Magecart' attack had targetted the third-party Javascript hosted on the company's payments pages. It had come after a similar, long-standing attack on TicketMaster earlier in the year. TicketMaster had been accused of ignoring warnings from start-up bank Monzo that it had been compromised.
In October 2018, BA further revealed that cybercriminals had stolen credit card details of 185,000 more customers in what it described as a "sophisticated, malicious criminal attack," and admitted that it had lasted over a longer period then previously thought.
It was said that the customers who made reward bookings between 21st April 2018 and 28th July 2018 using a payment card were likely at risk.
Apart from the personal details, customers' email addresses, card numbers, expiry dates, and card verification value (CVV) numbers were likely stolen, BA warned.
Cruz said that BA had responded quickly after detecting the attack and hadn't found any evidence so far of fraud on accounts compromised during the attack.
BA has 28 days to appeal against the ICO's decision.
The ICO said it will carefully consider the representations made by the airline agencies before taking a final decision on the fine that will be levied.