The Information Commissioner’s Office (ICO) has issued notice of intent to fine the airline for a massive data breach in September last year when data from an estimated half a million customers was compromised.
Serious data breach
Within the text of GDPR, a maximum penalty for a serious data breach is listed as €20 million or 4% of the company’s annual turnover. But the record penalty only equates to 1.5% of the worldwide turnover for 2017.
The ICO has confirmed this is the biggest penalty it has handed out under the new regulation and the first to be made public.
Information Commissioner Elizabeth Denham said: “People’s personal data is just that – personal. When an organisation fails to protect it from loss, damage or theft, it is more than an inconvenience. “That’s why the law is clear – when you are entrusted with personal data, you must look after it. Those that don’t will face scrutiny from my office to check they have taken appropriate steps to protect fundamental privacy rights.”
The breach was first disclosed in September last year but was believed to have occurred in June when hackers diverted users of the BA website to a fraudulent site where it is estimated they harvested the details of around half a million customers. Data compromised in what BA characterised as ‘a sophisticated, malicious criminal act’ included names, mailing addresses, credit card details and email addresses. The ICO said the breach was made possible by poor security arrangements at BA, including log in, payment card, travel booking specifics and name and address details.
Mike Wills, Director of Data Services for CSS Assure commented: “This is the first big fine under GDPR, but it won’t be the last, and it’s severity should act as a warning of the potentially massive cost of non-compliance if your firm were to get caught out at some time in the future. “A sensible move would be to examine your current position and take action to make sure you are compliant. It might also pay dividends to consider cyber insurance cover which can indemnify you against anything from repair of software and/or hardware after a breach, reimbursement of possible legal costs, public relations spend and lost business.
BA have indicated they intend to appeal the size of the fine with the ICO, with Chairman and Chief Executive Alex Cruze saying: “British Airways responded quickly to a criminal act to steal customers’ data. We have found no evidence of fraud/fraudulent activity on accounts linked to the theft. “We are surprised and disappointed in this initial finding from the ICO. We apologise to our customers for any inconvenience this event caused.” Stark Indicator
Nick Pomponio, Director of Operations at CSS Assure commented: “The massive penalty allowed for under the new GDPR rules is a stark indicator of just how much the game has changed in data protection. “Until now the biggest single penalty for a data breach was the £500,000 Facebook had to pay out over the Cambridge Analytica affair. The BA penalty is roughly 367 time bigger and could have been more than double that if the ICO had imposed the maximum allowed.”