The UK data regulator has issued British Airways (BA) with a notice of its intent to fine the company 183 million after hackers compromised the personal data of half a million customers.
Following an investigation under the EU's General Data Protection Regulation (GDPR), the Information Commissioner's Office (ICO) has issued the airline with a notice of its intention to fine it 183.39 million.
The UK airline revealed last year that cyber criminals had attacked the company and stole personal data belonging to 380,000 people over a two-week period between late August and early September. This included payment information from those using the BA website and mobile app to make bookings.
BA then disclosed a second cyber security incident a month later, affecting a further 185,000 customers who had made bookings using the Avios reward currency between late April and late July.
The hacks were part of a wider malicious campaign said to be orchestrated by the Magecart group, an organisation that also attacked Ticketmaster and Newegg in similar data breach incidents over 2018.
"People's personal data is just that - personal," said the Information Commissioner Elizabeth Denham. "When an organisation fails to protect it from loss, damage or theft it is more than an inconvenience.
"That's why the law is clear - when you are entrusted with personal data you must look after it. Those that don't will face scrutiny from my office to check they have taken appropriate steps to protect fundamental privacy rights."
Under GDPR, organisations that violate the data protection laws are exposed to financial penalties totalling 20 million, or 4% of global annual turnover. For scale, a figure of 183 million represents 1.5% of BA's revenue for 2017.
General Data Protection Regulation (GDPR) Did British Airways accidentally break its own security? GDPR for small businesses: What it means for you
A notice of intent is not a fine in itself; rather a reliable estimate for the region in which the final decision will lie, with the 183 million figure subject to change.
The ICO said its decisions are based on the incident's severity, including how many people were affected, the data involved, any failings by the organisation, and measures it took to co-operate, as well as mitigate any damage.
BA will have 28 days to argue against the penalty and any points the ICO has raised before the data regulator consults with its European counterparts and comes to a final decision. The ICO says this process can take up to 16 weeks in total.
"We are surprised and disappointed in this initial finding from the ICO," said BA's chairman and chief executive Alex Cruz.
"British Airways responded quickly to a criminal act to steal customers' data. We have found no evidence of fraud/fraudulent activity on accounts linked to the theft. We apologise to our customers for any inconvenience this event caused."
BA's parent company the International Airlines Group (IAG) also confirmed the company will make representations to the ICO within the 28-day window, and will "take all appropriate steps to defend the airline's position vigorously".
"The industry needs to understand not only how to prevent, but how to react to large breaches if it is to avoid major action," said CEO of the Chartered Institute of Information Security Professionals Amanda Finch.
"Businesses need not only the technical skills that help make the organisation secure, but the "soft" interpersonal skills that help create a security-minded culture across the company.
"IT security is in the middle of a long-overdue period of professionalisation - standardising approaches and skills to ensure best practice at all times. Events like these show that it can't happen quickly enough."
If the 183 million fine is issued in its entirety, it will represent the largest GDPR fine an organisation has been given since the regulations came into force more than a year ago.
Moreover, this will be more than three times as large as the sum regulators have accrued through GDPR fines across the continent, 50 million up to February 2019.
The prospective penalty also dwarves the 45 million fine the French data protection authorities slapped Google with at the start of 2019.
-
Women show more team spirit when it comes to cybersecurity, yet they're still missing out on opportunitiesNews While they're more likely to believe that responsibility should be shared, women are less likely to get the necessary training
-
OpenAI's new GPT-4.1 models miss the mark on coding tasksNews OpenAI says its GPT-4.1 model family offers sizable improvements for coding, but tests show competitors still outperform it in key areas.
-
ICO admits it's too slow dealing with complaints – so it's eying up automation to cut staff workloadsNews The UK's data protection authority has apologized for being slow to respond to data protection complaints, saying it's been overwhelmed by increased workloads.
-
“Limited resources” scupper ICO probe into EasyJet breachNews The decision to drop the probe has been described as “deeply concerning” by security practitioners
-
Surge in workplace monitoring prompts new ICO guidelines on employee privacyNews Detailed guidance on how to implement workplace monitoring could prevent data protection blunders
-
TikTok could be hit with £27m fine for failing to protect children's privacyNews Social media firm issued with a notice from the ICO for potential violations of UK data protection laws
-
What is AdTech and why is it at the heart of a regulation storm?In-depth The UK data regulator has come under heavy fire for consistently delaying much-needed action, privacy groups say
-
ICO crackdown on AI recruitment part of three-year vision to save businesses £100 millionNews ICO25 outlines a fresh approach that involves releasing learning materials, advice, and a new ICO-moderated discussion forum for businesses
-
Clearview AI fined £7.5m over improper use of UK dataNews Australian facial recognition firm collected 20 billion images from the internet without consent in order to build its database
-
UK data watchdog cut IT spending by £1.2 million during pandemicNews The ICO’s IT budget has been slashed by around 23% since 2019
