The UK Information Commissioner’s Office has warned British Airways with a staggering £183.39m fine for its inability to protect personal and financial information of roughly 500,000 of its customers.
The whopping fine under European General Data Protection Regulation (GDPR), embodies 1.5 per cent of BA’s worldwide revenue in 2017.
Information Commissioner Elizabeth Denham said: “People’s personal data is just that – personal. When an organisation fails to protect it from loss, damage or theft it is more than an inconvenience. That’s why the law is clear – when you are entrusted with personal data you must look after it. Those that don’t will face scrutiny from my office to check they have taken appropriate steps to protect fundamental privacy rights.”
The breach affected almost 500,000 people, with the ICO statement disclosing the breach is thought to have begun in June 2018. Previous statements from British Airways said it started in late August. The data watchdog labeled the attack as diverting user traffic from BA’s site to a fake site.
ICO gumshoes found an assortment of information was compromised including log-in details, card numbers, names, addresses and travel information.
Such scripts are often used to support marketing and data tracking functions or running external ads.
It was also revealed that BA parent company IAG was in talks with staff to outsource cyber security to IBM just before the hack was conducted.
The ICO served as principal investigator but communicated with several other European Union regulators. It said BA cooperated with its examination and had now made security enhancements to its site.
British Airways and the other regulators now have 28 days to make representations to decrease the fine.
In response, the airline said it was disenchanted in the fine since it cooperated fully and had found no proof that the stolen cards were used. It said it would make representations and appeal the decision.