British Airways owner IAG is facing a record $230 million fine after half a million customers had their data stolen from its website.
BA, whose slogan is “the world’s favourite airline”, plans to appeal against the fine, equivalent to 1.5 percent of the airline’s 2017 worldwide turnover.
Keep readinglist of 4 items
The UK’s Information Commissioner’s Office (ICO) said the hack had exposed poor security arrangements at the airline.
European data protection rules – known to millions of website users as GDPR – came into force in 2018, and allow regulators to fine companies up to four percent of their global turnover for data protection failures.
The attack involved traffic to the British Airways website being diverted to a fraudulent site, where customer details such as log in, payment card and travel booking details – as well as names and addresses – were harvested, the ICO said.
“People’s personal data is just that – personal,” said Information Commissioner Elizabeth Denham.
“When an organisation fails to protect it from loss, damage or theft it is more than an inconvenience. That’s why the law is clear – when you are entrusted with personal data you must look after it.”
BA’s chairman and chief executive Alex Cruz said he was “surprised and disappointed” by the proposed penalty.
“British Airways responded quickly to a criminal act to steal customers’ data,” he said.
“We have found no evidence of fraud/fraudulent activity on accounts linked to the theft.”
Professor Karen Yeung, a data governance expert at Birmingham University, said other companies would take notice of the size of the penalty.
“This very substantial fine sends a clear and important message to firms of all shapes and sizes about the critical importance of ensuring that they have effective systems in place to comply with data protection laws,” she told Al Jazeera.
“Although the basic principles of European data protection law were largely preserved in the GDPR, one of its most significant changes was the introduction of much more powerful enforcement and sanctioning powers for European data protection authorities.
“Until the GDPR took effect, it has been too easy for organisations to overlook the importance of complying with data protection laws. This is partly because the tangible harm following a violation, such as a major data breach, can be very difficult for any individual to quantify and to prove. A person whose data has been stolen due to a data breach might avoid suffering any concrete harm in the form of fraudulent use of their personal data. Yet they must endure real anxiety and personal inconvenience, knowing that they have become much more vulnerable to fraudulent and malicious attempts to exploit their personal data following incidents of this kind.
“The fine imposed on British Airways by the UK’s ICO makes it clear that organisations must take data protection law seriously. It represents an important and welcome step towards ensuring that individuals’ fundamental rights of data protection are given proper protection.”
Willie Walsh, CEO of parent company IAG, said BA would be making representations to the ICO about the proposed fine.
“We intend to take all appropriate steps to defend the airline’s position vigorously, including making any necessary appeals,” he said.
Shares in IAG fell 0.8% to 452.7 pence by 0810 GMT.
Analyst Gerald Khoo at broker Liberum said the proposed fine equated to about nine pence per IAG share.
“While IAG has more than adequate liquidity to cover the fine [December 2018 cash 3.8 billion euros ($4.3bn), total liquidity 6.3 billion euros ($7.1bn)], the penalty is still substantial,” he said.
The ICO, which could impose fines up to £500,000 ($626,000) under previous rules, had also investigated BA on behalf of other European regulators.
The ICO fined Facebook £500,000 in 2018 for serious breaches of data protection law. It said the penalty would have “inevitably have been significantly higher under GDPR”.