British Airways is facing a record fine of £183 million for last year’s breach of its security systems. The airline says it was “surprised and disappointed” by the penalty which was issued by the Information Commissioner’s Office (ICO). The penalty is the biggest handed out by the ICO to date and the first to be made public under the General Data Protection Regulation (GDPR).
The BA penalty amounts to 1.5% of its worldwide turnover in 2017, less than the possible maximum of 4%. Until now, the biggest penalty was £500,000, imposed on Facebook for its role in the Cambridge Analytica data scandal. That was the maximum allowed under the pre-GDPR data protection rules.
According to the ICO, the BA breach took place after users of the airline’s website were diverted to a fraudulent site. Through this false site, details of around 500,000 customers were harvested by the attackers.
The incident was first disclosed on September 6, 2018. At first BA had said that approximately 380,000 transactions were affected, but the stolen data did not include travel or passport details. The ICO said the incident was believed to have begun in June 2018 and that a variety of information was “compromised” by poor security arrangements at the company, including log in, payment card, and travel booking details as well name and address information.
BA initially said information included names, email addresses, credit card information such as credit card numbers, expiration dates and the three-digit CVV code found on the back of credit cards, although BA has said it did not store CVV numbers.
The watchdog said BA had co-operated with its investigation and made improvements to its security arrangements.
BA has 28 days to appeal.