The UK’s Information Commissioner’s Office has declared that it intends to fine British Airways a record total of £183.4m because of a data breach it suffered during the summer of 2018.
The airline fell victim to a cyberattack that saw hackers gain access to personal information and credit card data of hundreds of thousands of its customers in an incident believed to have begun in June last year.
The attack, apparently by the notorious cybercriminal group Magecart, only came to light in September – it’s believed that over 500,000 customers purchasing flights on the British Airways website and mobile application had their data stolen in the attack.
Following an investigation, the ICO declared that customers’ personal data was compromised as a result of “poor security arrangements” by the airline.
British Airways said it was “surprised and disappointed” by the fine and said there has been “no evidence of fraudulent activity on accounts linked to the theft” – but that hasn’t prevented the ICO from making plans to issue the record penalty.
British Airways is appealing against the prospect of the fine, but as it stands, the £183m figure is four times the size of the previous largest fine – that €50m penalty was issued to Google by the French data protection authority for a lack of transparency in its advertising. The £183m figure also eclipses the ICO’s previous biggest fine of £500,000, which it issued to Facebook for its role in the Cambridge Analytica scandal.
The move by the ICO is a significant milestone, not just because the planned fine is so much larger than others, but also because it represents the first major penalty notice issued on a wide-scale cyberattack that affected a multinational organisation and hundreds of thousands of its customers.
The ICO has yet to release its full report on why it has issued such a large fine, but it’s likely the way in which this incident was so high-profile, and impacted so many people, has played some role in the decision.
By announcing plans to issue such a large fine, the ICO is also sending a message – not only to British Airways, but to other organisations – that GDPR is here and is a force to be reckoned with.