British Airways to be fined $230m over data breach
The record-breaking GDPR penalty is regarding last year's computer theft of company's passenger dataEuropost
The UK’s data watchdog has issued a "notice of intent" that it plans to fine the airline British Airways a record $230m after last year website failure compromised the personal details of roughly 500,000 customers, violating EU's General Data Protection Regulation (GDPR). According to the Information Commissioner’s Office (ICO) it was company's '“poor security arrangements” that lead to the breach of credit card information, names, addresses, travel booking details, and logins of its customers.
If imposed the fine would be the largest the ICO has ever issued, BBC News reports, far more than the £500,000 fine against Facebook for the Cambridge Analytica scandal that affected millions.
"However, Facebook’s fine was the maximum legal amount allowed under the UK’s previous data privacy regulation, the 1998 Data Protection Act. At the time regulators said it would have been “significantly higher” under the new GDPR rules. GDPR allows a company to be fined a maximum of 4% of its worldwide turnover; BA’s fine amounts to 1.5 percent of its 2017 revenue," the Information Commissioner Elizabeth Denham said in a statement, while also expressing hope that such financial penalties would make companies take appropriate steps “to protect fundamental privacy rights” and strop threating data theft as "inconvenience."
British Airways will now have 28 days to appeal the ruling before it is made final. Willie Walsh, chief executive of IAG, the firm’s parent group, reportedly said British Airways would be making representations to the ICO.
"We intend to take all appropriate steps to defend the airline's position vigorously, including making any necessary appeals," he said.
In the meantime, Alex Cruz, British Airways' chairman and chief executive, said the airline was "surprised and disappointed" in the ICO's initial finding.
"British Airways responded quickly to a criminal act to steal customers' data. We have found no evidence of fraud/fraudulent activity on accounts linked to the theft," he stated. "We apologise to our customers for any inconvenience this event caused."