British Airways (BA), owned by IAG, is facing a fine of £183 million for the breach of its security systems last year.
This is the largest penalty handed out by the Information Commissioner’s Office (ICO), and the first to be made public under new rules. BA has said it is “surprised and disappointed” by the penalty and plans to appeal.
The incident in question saw British Airways’ customers diverted to a fraudulent site, where details of more than 500,000 customers were harvested by the attackers – according to the ICO. The investigation carried out by the ICO found a variety of information was compromised by poor security arrangements at BA, including log in, payment card and travel booking details as well name and address information.
Elizabeth Denham, Information Commissioner, commented: “People’s personal data is just that – personal. When an organisation fails to protect it from loss, damage or theft it is more than an inconvenience.
“That’s why the law is clear – when you are entrusted with personal data you must look after it. Those that don’t will face scrutiny from my office to check they have taken appropriate steps to protect fundamental privacy rights.”
Alex Cruz, chief executive of British Airways, added: “We are surprised and disappointed in this initial finding from the ICO. British Airways responded quickly to a criminal act to steal customers’ data. We have found no evidence of fraud/fraudulent activity on accounts linked to the theft. We apologise to our customers for any inconvenience this event caused.”
The penalty notice is worth 1.5 per cent of British Airway’s worldwide turnover, and comes as a result of the UK Data Protection Act. The ICO said BA has cooperated with its investigation and made improvements to its security arrangements, following the security breach.