British Airways data breach fine set at £183m based on GDPR
British Airways is facing a record fine of £183m data breach of its security system.
The GDPR imposes stiff fines on data controllers and processors for non-compliance. On the one hand a company can either be fined up to €10 million, or 2% of the worldwide annual revenue of the prior financial year. On the other, It can be fine up to €20 million, or 4% of the worldwide annual revenue of the prior financial year. The total proposed BA fine of £183.39 million would be the biggest penalty ever issued by the ICO. It is the equivalent of 1.5% of BA’s global turnover for the financial year ending December 31.
The fine relates to the theft of customers’ personal and financial information between June 2018 and September 2018 from the website ba.com and the airline’s mobile app. The airline initially said around 380,000 payment cards had been compromised, however the ICO said in a statement that the personal information of 500,000 customers had been affected.
The ICO said the incident took place after users of British Airways’ website were diverted to a fraudulent site. Through this false site, details of about 500,000 customers were harvested by the attackers,
An ICO spokeswoman made clear that the figure was an initial notice of a fine and that the figure of £183.39m would be the largest ever issued by the ICO.
Information Commissioner Elizabeth Denham said: “People’s personal data is just that – personal. When an organisation fails to protect it from loss, damage or theft, it is more than an inconvenience.
“That’s why the law is clear – when you are entrusted with personal data, you must look after it. Those that don’t will face scrutiny from my office to check they have taken appropriate steps to protect fundamental privacy rights.”
What information was stolen?
According to the ICO, a variety of information was “compromised” by poor security arrangements at the company, including log in, payment card, and travel booking details as well name and address information.
BA initially said information involved included only names, email addresses, credit card information such as credit card numbers, expiry dates and the three-digit CVV code found on the back of credit cards.
Data protection regulators in other European countries will also be able to make representations on the scale of the fine because of the impact on their citizens. The money raised will be divided between the data regulation authorities across Europe with the money allocated to the ICO going to the Treasury.