British Airways has been smacked with a £183-million fine in the wake of a data breach that saw details of as many as 380,000 customers affected.
The BBC is reporting that the Information Commissioner’s Office (ICO) handed down the fine after an investigation into British Airways’ data breach in September of 2018.
British Airways’ parent company IAG said it was “surprised and disappointed in this initial finding from the ICO”, which will represent one of the largest monetary fines handed down to a private company in the aftermath of a data breach.
The UK’s ICO says the penalty represents 1.5% of British Airways’ worldwide turnover, which is stipulated in the recently introduced General Data Protection Regulation (GDPR) legislation.
Willie Walsh, chief executive of IAG said the airline would be defending itself “vigorously,” making “any necessary appeals” against the penalty. “British Airways will be making representations to the ICO in relation to the proposed fine,” Walsh said.
Chairman Alex Cruz told the media that “British Airways responded quickly to a criminal act to steal customer’s data. We have found no evidence of fraud/fraudulent activity on accounts linked to the theft,” he said.
“We apologise to our customers for any inconvenience this event caused.”
The attack on British Airways’ network occurred between August 21st and September 5th of 2018, and impacted customers that made bookings on its website or from its mobile application. According to the UK’s Mirror, “cyber criminals behind the attack obtained enough credit card details to use them, with many banks forced to cancel and re-issue cards as a result of the stolen data.”
“While the fine is huge,” James Andrews writes, “it might have been bigger still - with the rules saying the maximum penalty for a company hit with a data breach is a fine of either £17 or 4% of global turnover, whichever is greater.”
If the maximum 4% penalty were to be enforced by the ICO, BA would be facing a penalty in excess of £488-million.