British Airways facing $330m GDPR fine
The UK’s Information Commissioner’s Office (ICO) has proposed to fine British Airways £183.39 million ($329.7 million) in relation to a data breach affecting the private information of around 500,000 customers.
The regulator has issued a notice of intent to fine the airline under the EU’s General Data Protection Regulation.
The fine would be the equivalent of around 1.5% of British Airways’ annual global revenue and would be the biggest ever fine issued under the GDPR, both in terms of the actual amount and the proportion of revenue used to determine the size of the penalty.
According to the ICO, the penalty has been proposed following an “extensive investigation” into a cyber incident reported by the company in September. During this incident, attackers diverted traffic to the British Airways to a fraudulent site and harvested customer details of around 500,000 customers as a result.
The ICO said its investigation found that poor security arrangements at the company had left a variety of information compromised, including login, payment card and travel booking details as well name and address information.
“People’s personal data is just that — personal. When an organisation fails to protect it from loss, damage or theft it is more than an inconvenience,” Information Commissioner Elizabeth Denham said.
“That’s why the law is clear — when you are entrusted with personal data you must look after it. Those that don’t will face scrutiny from my office to check they have taken appropriate steps to protect fundamental privacy rights.”
British Airways has made improvements to its security arrangements since the attack was disclosed, the ICO said. The company and other European data authorities will now have a chance to make representations to the regulator to influence the final decision on the size of the fine.
But British Airways and parent company International Airlines Group have vowed to appeal the proposed fine, insisting that British Airways “responded quickly to a criminal act to steal customers’ data”.
Logistics and e-commerce technology company Pitney Bowes is working to restore services after a...
The board of UK-based security company Sophos will unanimously recommend a US$3.82bn takeover...
Security company Proofpoint has provided details of a staged malware downloader they are calling...