British Airways (BA) has been hit with a record fine by the Information Commissioner’s Office (ICO), after a 2018 data breach that exposed the personal details of around 500,000 customers. The penalty, which is the largest ever imposed by the UK’s data protection watchdog, comes after hackers breached the airline’s security systems in June 2018 (the incident came to light in September). The hackers diverted users away from the legitimate BA website to a fraudulent site, in order to harvest the personal details of customers.
The watchdog clarified that passport details were not compromised, but indicated that other personal details including names, email addresses and credit card information were accessed.
Information Commissioner Elizabeth Denham said: “People’s personal data is just that, personal. When an organisation fails to protect it from loss, damage or theft, it is more than an inconvenience.”
“That’s why the law is clear, when you are entrusted with personal data, you must look after it. Those that don’t will face scrutiny from my office to check they have taken appropriate steps to protect fundamental privacy rights.”
The airline, which is owned by IAG, says that it is ‘surprised and disappointed’ by the ICO’s decision.
The fine dwarfs the previous largest fine issued by the ICO, which was handed to Facebook for its role in the Cambridge Analytica data scandal. The social media giant was fined £500,000, the maximum penalty allowed before the General Data Protection Regulation (GDPR) came into force.
Under the GDPR, fines of up to 4% of annual company turnover can be issued. The BA fine amounted to 1.5% of its global 2017 turnover, and is the first that the ICO has made public under the new GDPR rules.