A data breach in 2018 that saw hackers steal personal data belonging to hundreds of thousands of British Airways customers has cost the company nearly 184 million British pounds (about $230 million), making it the biggest fine ever imposed for an incident of this kind.
The U.K.’s Information Commissioner’s Office (ICO) said it handed down the fine for breaches of data protection law that it said resulted from “poor security arrangements” at the company.
The breach took place during the summer of 2018, and affected anyone who used B.A.’s website or mobile app to book a flight or vacation. Hackers diverted customers to a fraudulent site from which they were able to harvest customer details that included names, addresses, log-in information, payment card numbers, and travel booking details. Initial reports said that around 380,000 people had been affected, but a the ICO this week put the number at 500,000.
Information Commissioner Elizabeth Denham said of the incident: “People’s personal data is just that — personal. When an organization fails to protect it from loss, damage or theft it is more than an inconvenience.
“That’s why the law is clear — when you are entrusted with personal data you must look after it. Those that don’t will face scrutiny from my office to check they have taken appropriate steps to protect fundamental privacy rights.”
The airline was understandably upset with the record fine, with B.A. chairman and chief executive Alex Cruz saying his company was “surprised and disappointed” by the ICO’s findings, adding, “British Airways responded quickly to a criminal act to steal customers’ data. We have found no evidence of fraud/fraudulent activity on accounts linked to the theft.”
The largest fine before now was handed to Facebook in 2018 for its role in the Cambridge Analytica scandal. At 500,000 British pounds (about $625,000), that’s considerably lower than B.A.’s penalty. Larger fines have been made possible by new data protection laws that give greater powers to those dealing with such cases.
The news laws mean businesses can be fined up to 4% of their annual turnover. With B.A.’s fine equalling 1.5% of its worldwide turnover in 2017, it clearly could have turned out a lot worse for the airline. B.A. has four weeks to appeal the ICO’s decision.
- U.S. border agency says photos of travelers stolen in cyberattack
- Amazon sellers had funds stolen by hackers in extensive six-month fraud
- TikTok under investigation again over collection of children’s personal data
- Hackers broke into Outlook.com using worker’s credentials, Microsoft says
- Flipboard hack prompts password reset for millions of users