LONDON – The UK Information Commissioner’s Office (ICO) announced Monday it intends to issue a major fine to British Airways. The £183.39 million ($226.22 million) fine is for breaches of General Data Protection Regulation (GDPR) rules.
500,000 Affected by Data Breach
The fine equates to 1.5 per cent of the airline’s worldwide turnover for the financial year ended 31 December 2017. The ICO said that it related to a cyber incident that started in June 2018. The British Airways website sent some users o a fraudulent site which collected their personal data. This included log in, payment card, travel booking details, name and address information. The incident affected 500,000 users. British Airways informed the ICO of this incident in September 2018.
Commenting on the proposed fine, Information Commissioner Elizabeth Denham said:
People’s personal data is just that – personal. When an organisation fails to protect it from loss, damage or theft it is more than an inconvenience. That’s why the law is clear – when you are entrusted with personal data you must look after it. Those that don’t will face scrutiny from my office to check they have taken appropriate steps to protect fundamental privacy rights.
British Airways Pushes Back
Responding, Alex Cruz, British Airways chairman and chief executive, said:
We are surprised and disappointed in this initial finding from the ICO. British Airways responded quickly to a criminal act to steal customers’ data. We have found no evidence of fraud/fraudulent activity on accounts linked to the theft. We apologise to our customers for any inconvenience this event caused.
“British Airways will be making representations to the ICO in relation to the proposed fine. We intend to take all appropriate steps to defend the airline’s position vigorously, including making any necessary appeals,” added Willie Walsh, chief executive of parent company International Airlines Group.