The UK’s Information Commissioner’s Office intends to fine
British Airways £183.39 million over a breach that compromised the personal
data of some 500,000 customers.
In October of 2018, the self-touted “world’s favorite airline” announced it had fallen victim to an embarrassing cyber attack that exposed hundreds of thousands of customer records. The attack lasted more than two weeks before IT staff discovered something was amiss. An investigation later confirmed the number of affected accounts was 500,000, much higher than originally estimated. The attack was attributed to the Magecart group, which infected British Airways’ official website with malicious code designed to steal users’ credit card data when purchasing plane tickets.
After a more extensive investigation commissioned by the
ICO, British Airways now stands to cough up £183.39 million (204 million EUR /
230 million USD) in penalties under the EU’s General Data Protection Regulation
“The ICO’s investigation has found that a variety of information was compromised by poor security arrangements at the company, including log in, payment card, and travel booking details as well name and address information,” the ICO statement reads.
The notice also includes a statement from Information
Commissioner Elizabeth Denham, who said:
“People’s personal data is just that – personal. When an
organisation fails to protect it from loss, damage or theft it is more than an
inconvenience. That’s why the law is clear – when you are entrusted with
personal data you must look after it. Those that don’t will face scrutiny from
my office to check they have taken appropriate steps to protect fundamental
British Airways has 28 days to appeal the ICO’s claim. The
ICO says it will consider the airline’s representations, as well as claims made
by other data protection authorities concerned, before it declares its decision