British Airways Faces Record Fine
British Airways faces a record $230 million fine after a website failure compromised the personal details of roughly 500,000 customers. It would be the largest penalty yet under a tough privacy rule known as the General Data Protection Regulation which came into force last year in the European Union.
The UK Information Commissioner’s Office said that weak security allowed user traffic to be diverted from the British Airways website to a fraudulent page starting in June 2018. The regulator said the company will have a chance to contest the proposed fine.
Attackers were able to harvest customer details including log ins, payment cards, and travel booking details, according to the regulator. The airline disclosed the incident in September 2018. The £183.4 million ($230 million) fine is roughly 1.5% of British Airways’ annual revenue. The carrier, which is owned by IAG, said it would fight the penalty.
“We are surprised and disappointed in this initial finding,” British Airways CEO Alex Cruz said in a statement. “British Airways responded quickly to a criminal act to steal customers’ data. We have found no evidence of fraud [or] fraudulent activity on accounts linked to the theft,” he added.
British Airways last year said about half a million passenger records were accessed in a cyberattack that took place between August 21 and Sept. 5. The airline carried more than 45 million passengers in 2018. The airline group said Sept. 6 that it had discovered and resolved the breach of its website and app and that police were notified. The ICO said Monday that a variety of information was compromised by poor security arrangements at the company, including login, payment-card and travel booking details as well as name and address information.
“We intend to take all appropriate steps to defend the airline’s position vigorously, including making any necessary appeals.” IAG Chief Executive Willie Walsh said Monday. The ICO said the airline has cooperated with its investigation and made improvements to its security. It also said it would take into account feedback from British Airways and other data-protection authorities as it makes a final determination on the fine.
The airline has 28 days to make its case. The regulator said the company can appeal against any final determination.