British Airways is facing the prospect of having to pay a record fine of £183 million for the breach of its security systems last year.
The airline who are owned by IAG, stated that it was ‘surprised and disappointed’ by the large penalty enforced by the International Commissioners Office (ICO).
At the time of the incident, British Airways, stated that the breach was due to a sophisticated, malicious criminal attack on its website, which was carried out by hackers. However the ICO has handed the airline the biggest ever penalty for this type of data breach and has also made it public for the first time ever due to the implementation of new rules.
The ICO stated that the breach took place after users of the British Airways website were diverted to a different, fraudulent site. Through the false site, details of approximately 500,000 people were collected by the hackers, the ICO said.
Information Commissioner, Elizabeth Denham, stated that “People’s personal data is just that – personal. When an organisation fails to protect it from loss, damage or theft, it is more than an inconvenience. That’s why the law is clear – when you are entrusted with personal data, you must look after it. Those that don’t will face scrutiny from my office to check they have taken appropriate steps to protect fundamental privacy rights.”
The attack was initially highlighted on 6th September 2018 and British Airways initially stated that approximately 380,000 transactions were effected, however the stolen data did not include passport or travel details.
The ICO believed that the start of the attack was implemented at some point in June 2018.
The independent watchdog claimed that a range of information was compromised by a lack of security arrangements within the company, including log in, payment card, and travel details, alongside names and addresses. However, British Airways initially stated that information included names, emails and card details.
The watchdog said that the airline had co-operated with the investigation and had made significant strides in improving the security arrangements within the company.
Now that the penalty has been announced for BA, the company now have 28 days to appeal the ruling. The chief executive of IAG stated that British Airways will be making a case for appeal to the ICO. “We intend to take all appropriate steps to defend the airline’s position vigorously, including making any necessary appeals,” he said.
No matter what the outcome of the appeal BA will be having to pay a fine and in this case the question arises as to where the money will go. The penalty charge is divided between European data authorities and the money that comes to the ICO goes directly to the treasury.
In terms of individuals, it is their own responsibility to make a claim to British Airways, who have provided no information whether any compensation has or will be paid.
If you have any queries about the contents of this article, please contact a member of the HPC team:
T: 0151 556 1975