Back in September 2018, British Airways followed the rules and informed the Information Commissioners Office (ICO) of a potential data breach. The airline, owned by IAG group, had discovered its website had been compromised and an estimated 500,000 customers’ data had been accessed by hackers.
Now, after an investigation into ‘poor security’, the ICO has issued a statement of intention to fine British Airways £183.39 million.
What happened is not too uncommon for internet hacks. Customers were diverted to a fraudulent version of the British Airways website, where personal details such as payment card details, full names and addresses were accessed by attackers, along with log in and password information. The attack is thought to have begun in June 2018.
If it goes ahead, this will be one of the first fines to be publicly handed out by the ICO under the new General Data Protection Regulation (GDPR). The GDPR states that companies can be fined up to 4% of annual turnover for a data breach.
Prior to this, the largest fine record was £500,000, awarded to Facebook for a breach under the previous Data Protection Act. The British Airways fine announced today would be almost 400 times higher than that given to the social network in 2018. The difference is simple – the rules have changed. The sanctions are more severe, and the message is clear; take care of people’s data.
The ICO states the airline has cooperated fully with the investigation and has made improvements to security following the breach. There will now be an opportunity for the company to make representations to the ICO regarding the proposed findings and sanction.
We have extensive experience in data protection, if we can help you or you’d like to discuss your company approach and whether it adequately meets the ICO requirements, get in touch. firstname.lastname@example.org or call 01274 562630.