A data breach in 2018 that saw hackers steal personal data belonging to hundreds of thousands of British Airways customers has cost the company nearly 184 million British pounds (about $230 million), making it the biggest fine ever imposed for an incident of this kind.
The U.K.’s Information Commissioner’s Office (ICO) said it handed down the fine for breaches of data protection law that it said resulted from “poor security arrangements” at the company.
The breach took place during the summer of 2018, and affected anyone who used B.A.’s website or mobile app to book a flight or vacation. Hackers diverted customers to a fraudulent site from which they were able to harvest customer details that included names, addresses, log-in information, payment card numbers, and travel booking details. Initial reports said that around 380,000 people had been affected, but the ICO this week put the number at 500,000.
Information Commissioner Elizabeth Denham said of the incident: “People’s personal data is just that — personal. When an organization fails to protect it from loss, damage, or theft it is more than an inconvenience.
“That’s why the law is clear — when you are entrusted with personal data you must look after it. Those that don’t will face scrutiny from my office to check they have taken appropriate steps to protect fundamental privacy rights.”
The airline was understandably upset with the record fine, with B.A. chairman and chief executive Alex Cruz saying his company was “surprised and disappointed” by the ICO’s findings, adding, “British Airways responded quickly to a criminal act to steal customers’ data. We have found no evidence of fraud/fraudulent activity on accounts linked to the theft.”
The largest fine before now was handed out to Facebook in 2018 for its role in the Cambridge Analytica scandal. At 500,000 British pounds (about $625,000), that’s considerably lower than B.A.’s penalty. Larger fines have been made possible by new data protection laws that give greater powers to the agencies that deal with such cases.
The new laws mean businesses can be fined up to 4% of their annual turnover. With B.A.’s fine equaling 1.5% of its worldwide turnover in 2017, it clearly could have turned out a lot worse for the airline. B.A. has four weeks to appeal the ICO’s decision.
