Written by: Keith Tully
Reviewed: Tuesday 9th July, 2019
British Airways (BA) is facing the prospect of being fined more than £183 million for failures in relation to data protection laws.
The Information Commissioner’s Office (ICO) has made clear its intention to fine the airline for infringements of the General Data Protection Regulations (GDPR), which were introduced in May 2018.
“Poor security arrangements” at BA were blamed for allowing the personal data of close to 500,000 of its customers to be compromised by way of cyber attacks that are believed to have begun in June 2018.
Log in details, payment card information, names and addresses, as well as travel bookings, are all understood to have been stolen from BA customers as a result of security failings on the part of the airline.
The cyber attackers in the case were reportedly able to breach BA’s online security and divert traffic away from its official website to a fraudulent site that was then used to obtain and harvest customer information.
“People’s personal data is just that – personal,” said the Information Commissioner Elizabeth Denham in a statement.
“When an organisation fails to protect it from loss, damage or theft it is more than an inconvenience.
“That’s why the law is clear – when you are entrusted with personal data you must look after it. Those that don’t face scrutiny from my office to check they have taken appropriate steps to protect fundamental privacy rights.”
The ICO was notified of the incident in September 2018 and has said that it now intends to fine BA well over £100 million, although the airline will be allowed to make representations in its own defence before a final verdict is given on the case.
According to the ICO, BA cooperated with its investigations into its security breaches and has made some improvements to its data protection policies in recent months.
BA’s chief executive Alex Cruz responded to news by saying: “We are surprised and disappointed in this initial finding from the ICO.
“British Airways responded quickly to a criminal act to steal customers’ data. We have found no evidence of fraud/fraudulent activity on accounts linked to the theft.”