British Airways will be handed down the largest penalty on record from the ICO for a data breach last year that affected 500,000 customers.
British Airways could be footing the bill of a record £183m fine over a data breach last year which saw the names, addresses, travel booking details, credit card numbers and more of around 500,000 customers leaked.
Cybercriminals diverted traffic from the British Airways website to a fraudulent site through which they harvested data from unwitting customers. The incident is thought to have begun in June 2018.
This skimming tactic was found to be similar to that leveraged against Ticketmaster UK, leading threat management firm RiskIQ to conclude that the attacks were perpetrated by the same criminal gang.
The Information Commissioner’s Office (ICO), which is the UK’s data watchdog, said in a statement that it would fine the airline under GDPR. The ICO found though its investigation that “poor security arrangements” at the company were to blame for the breach.
Also in the statement, UK information commissioner Elizabeth Denham said: “People’s personal data is just that – personal. When an organisation fails to protect it from loss, damage or theft it is more than an inconvenience.
“That’s why the law is clear – when you are entrusted with personal data you must look after it. Those that don’t will face scrutiny from my office to check they have taken appropriate steps to protect fundamental privacy rights.”
The penalty that British Airways is set to incur amounts to 1.5pc of its world turnover in 2017, which is less than the possible maximum of 4pc allowed under GDPR. Up until GDPR’s implementation, the maximum fine data watchdogs could mete out was £500,000 – which is what Facebook was fined for its role in the Cambridge Analytica scandal.
The ICO has said that this is the biggest penalty it has ever handed out and the first to be made public under new rules.
Responding to the news, British Airways’ chairman and CEO Alex Cruz said the company was “surprised and disappointed” by ICO’s decision.