Share this article on:
The UK Information Commissioners Office (ICO), the GDPR supervisory authority, has issued the largest GDPR penalty to date to British Airways. British Airways can appeal, but as it stands the ICO will fine the airline £183.39 million ($228 million) for security failures that were exploited in a 2018 cyberattack on its website.
The fine surpasses the previous record of £500,000 ($623,000) issued to Facebook over the Cambridge Analytica scandal. For British Airways however, its breach occurred after May 25, 2018 – The effective date of the EU’s General Data Protection Regulation.
GDPR updated a previous EU directive and in addition to introducing a slew of new privacy and security regulations, the penalties for privacy and data security failures were substantially increased. The maximum penalty for a serious GDPR violation is now €20 million ($22.4 million) or 4% of global annual turnover, whichever is higher.
The £183 million penalty corresponds to 1.5% of BA’s global annual turnover for 2017. The maximum penalty would have been close to £500 million if its holding company, International Airlines Group (IAG), was found to be involved. The global annual turnover for IAG in 2017 was €2.27 billion.
Under GDPR, entities that experience a breach involving the data of EU citizens must report the breach within 72 hours of discovery. BA announced its breach and reported the incident to ICO on September 6, 2018, one day after the breach was discovered.
The subsequent ICO investigation uncovered security failures that were exploited by hackers to gain access to BA’s website. Code was inserted which redirected visitors to a fraudulent website where personal information and credit/debit card details were stolen. According to ICO, the personal and financial information of around 500,000 customers was stolen. ICO said the breach occurred some time in June 2018 and continued until September 5.
The fine was not issued for the breach itself. ICO has said the fine reflects the seriousness of the security failures that opened the door to the hackers.
The ICO has only issued a ‘Notice of Intent’ to fine BA. BA now has 28 days in which to launch an appeal. “We intend to take all appropriate steps to defend the airline’s position vigorously, including making any necessary appeals,” said Willie Walsh, chief executive of International Airlines Group.