British Airways data breach: BA set to be fined £183m

British Airways was today hit with a record £183 million fine for failing to protect customer data from a hacking attack.

The total proposed fine of £183.39 million would be the biggest penalty ever issued by the ICO​.

It is the equivalent of 1.5% of BA's global turnover for the financial year ending December 31.

The fine relates to the theft of customers' personal and financial information between June 2018 and September 2018 from the website ba.com and the airline's mobile app.

The airline initially said around 380,000 payment cards had been compromised, however the ICO said in a statement that the personal information of 500,000 customers had been affected.

500,000 customers' personal information was harvested by hackers, the ICo said. 
Steve Parsons/PA

The ICO said its "extensive investigation" found that a variety of information was compromised by poor security arrangements at the company, including log in, payment card, and travel booking details, as well name and address information.

The incident in part involved user traffic to the British Airways website being diverted to a fraudulent site, where customer details were harvested by the attackers, the organisation said.

Details of the data breach were made public on September 6 and October 25 last year.

Alex Cruz, chairman of BA, said the airline was "surprised and disappointed" by the initial finding.

He said: "British Airways responded quickly to a criminal act to steal customers' data. We have found no evidence of fraud/fraudulent activity on accounts linked to the theft. We apologise to our customers for any inconvenience this event caused."

Willie Walsh, chief executive of BA's owner International Airlines Group (IAG), said the airline would "defend the airline's position vigorously, including making any necessary appeals".

An ICO spokeswoman made clear that the figure was an initial notice of a fine and that the figure of £183.39m would be the largest ever issued by the ICO.

Information Commissioner Elizabeth Denham said: “People’s personal data is just that – personal.

"When an organisation fails to protect it from loss, damage or theft it is more than an inconvenience.

"That’s why the law is clear – when you are entrusted with personal data you must look after it.

"Those that don’t will face scrutiny from my office to check they have taken appropriate steps to protect fundamental privacy rights.”

Data protection regulators in other European countries will also be able to make representations on the scale of the fine because of the impact on their citizens.

The money raised will be divided between the data regulation authorities across Europe with the money allocated to the ICO going to the Treasury.

Shares in IAG were down as much as 1.95 per cent in early trading today, at one point hitting a low of 447.6p.

Create a FREE account to continue reading

eros

Registration is a free and easy way to support our journalism.

Join our community where you can: comment on stories; sign up to newsletters; enter competitions and access content on our app.

Your email address

Must be at least 6 characters, include an upper and lower case character and a number

You must be at least 18 years old to create an account

* Required fields

Already have an account? SIGN IN

By clicking Create Account you confirm that your data has been entered correctly and you have read and agree to our Terms of use , Cookie policy and Privacy policy .

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Thank you for registering

Please refresh the page or navigate to another page on the site to be automatically logged in

MORE ABOUT