British Airways (BA/BAW) is to be hit with a record-breaking £183.39m fine by the Information Commissioners Office (ICO) following last years breach of its website.
British Airways was hit by what it described as a “sophisticated” hacking attack on its website that saw visitors diverted to a fake British Airways website which collected their personal information.
In total it affected more than 500,000 users.
British Airways reported that the incident first took place in September 2018 and just involved payment information but the ICO said it believed it dated back to June 2018 and included all personal data including booking arrangements and personal details.
The ICO did say that British Airways had fully cooperated with the investigation and had made changes to its security of data.
The record fine is the first major investigation under the new General Data Protection Regulations (GDPR) that came into force last year. GDPR gives the ICO the power to fine British Airways up 4% of annual turnover.
In announcing its intention to fine British Airways, Information Commissioner Elizabeth Denham said: “People’s personal data is just that – personal. When an organisation fails to protect it from loss, damage or theft it is more than an inconvenience. That’s why the law is clear – when you are entrusted with personal data you must look after it. Those that don’t will face scrutiny from my office to check they have taken appropriate steps to protect fundamental privacy rights.”
British Airways now has 28 days to appeal the decision and the ICO will consider carefully the representations made by the company before it makes its final decision to confirm, or reduce the penalty.