British Airways is gearing up to face a record £183m fine by authorities after a data breach caused it to lose more than 400,000 customers’ information.
The airline’s owner, International Consolidated Airlines Group (IAG), announced this morning it would make “any necessary appeals” in response to the penalty.
The figure is equivalent to 1.5 per cent of the firm’s turnover in 2017. It dwarfs the previous highest fine of £500,000 handed to Facebook for breaches of data protection law last year.
IAG shares fell 1.3 per cent this morning.
The Information Commissioner’s Office (ICO) has proposed the fine, the biggest it has ever handed out, in line with the UK Data Protection Act.
Last year, BA said hackers had carried out a “sophisticated, malicious criminal attack” and stolen the data of 429,000 customers. Information at risk from the breach included customers’ card numbers, expiry dates and CVV codes. It has since said it has seen no sign of fraud on accounts linked to the theft.
Firms ‘must look after’ personal data
Information Commissioner Elizabeth Denham said: “People’s personal data is just that – personal. When an organisation fails to protect it from loss, damage or theft it is more than an inconvenience.
“That’s why the law is clear – when you are entrusted with personal data you must look after it. Those that don’t will face scrutiny from my office to check they have taken appropriate steps to protect fundamental privacy rights.”
Alex Cruz, British Airways chairman and chief executive, said: “We are surprised and disappointed in this initial finding from the ICO.
“British Airways responded quickly to a criminal act to steal customers’ data. We have found no evidence of fraud/fraudulent activity on accounts linked to the theft.
“We apologise to our customers for any inconvenience this event caused.”
Willie Walsh, International Airlines Group chief executive said: “British Airways will be making representations to the ICO in relation to the proposed fine. We intend to take all appropriate steps to defend the airline’s position vigorously, including making any necessary appeals.”
Fine ‘usually dictated by size of data breach’
Martin Tyley, UK Head of Cyber & Privacy at KPMG said: “We’ve been waiting a while for the Information Commissioner’s Office to issue its first post-GDPR fine.
“In our view this sends a clear signal that the ICO isn’t afraid of using the full breadth of their enforcement powers and this is just the first of many similar actions we’ll see over the coming years.
“Privacy and GDPR is a complex field and businesses need to ensure that they understand where they might be exposed to risk to avoid potentially compromising consumer data as well as huge financial consequences for non-compliance. For thousands of organisations, this morning’s news is a serious wake up call.”
Tony Pepper, chief executive of software company Egress, said: “This fine not only puts pay to any thoughts that the ICO lacked teeth in its pursuit of organisations putting customer data at risk, but also serves as a reminder to any company suffering from a complacent attitude to compliance that the handling, processing and storing of customer data should be its number one priority.
“This could very well be the first of many large fines issued by the ICO and will most definitely serve as a wake up call to organisations that offer goods or services to, or monitor the behaviour of, EU data subjects.”
BA applies for litigation order
BA’s woe was compounded when law firm SPG confirmed the embattled airline had applied to the High Court for a group litigation order (GLO).
The firm has faced legal claims from thousands of customers whose data was stolen as part of the hack, many of whom SPG represents. Instead of replying to a letter from SPG inviting the airline to determine settlement or discuss the terms of a GLO, BA made an application direct to the High Court several weeks ago.
GLOs are usually applied for by claimants and it is “highly unusual” for a defendant to do so, said SPG.
SPG Law Partner Harris Pogust said the firm “cannot evade its responsibility to recompense its victims in full”.
Main image credit: Getty