On July 8, 2019, the United Kingdom Information Commissioner’s Office (ICO) announced its intention to fine British Airways an unprecedented £183.39m in response to a data breach incident last year that affected approximately 500,000 customers.
British Airways first disclosed the incident to the ICO in September 2018, in accordance with its obligations under the European Union’s General Data Protection Regulations (GDPR), informing the regulatory body that users of the airline’s website were diverted to a fraudulent site that harvested personal information of about 500,000 customers. The data breach incident was a result of poor security arrangements by British Airways that compromised personal information such as names, addresses, email addresses, travel-booking details and credit card information of the individuals affected. The ICO stated that British Airways has co-operated with the investigation and has made improvements to both its website and security arrangements since the incident took place.
In response to the ICO’s announcement, British Airways’ chair and chief executive Alex Cruz said the company was “surprised and disappointed” by the ICO’s decision, and that there is no evidence suggesting that the personal information harvested by the attackers was misused.
The intended fine amounts to 1.5% of British Airways 2017 worldwide turnover, which is far below the maximum penalty under GDPR of 4% of a company’s worldwide turnover. However, the ICO’s fine stands as the highest the UK data watchdog has ever announced, eclipsing the £500,000 fine against Facebook in response to the Cambridge Analytica scandal that affected millions of users.
British Airways will now have the opportunity to make representations to the ICO as to the proposed findings and sanction, and the ICO will also consider representations made from other EU data protection authorities before taking its final decision.
Summary By: Hashim Ghazi