British Airways has signalled its intention to appeal an enormous fine of more than GBP 183 million (AUD 329 million), levied against it for a data breach in which hackers stole the personal data of half a million of the airline’s customers.
The fine was imposed by Britain’s Information Commissioner’s Office (ICO), which said its extensive investigation had revealed that the hack involved customer details including login, payment card, name, address and travel booking information.
All were harvested after being diverted to a fraudulent website.
The ICO said the data breach, which began in June 2018, occurred because British Airways had “poor security arrangements” in place to protect customer information being accessed.
Last October, British Airways set about contacting two groups of customers not previously notified that their personal data might have been stolen, following the discovery that a “sophisticated, malicious attack” by hackers was much more extensive than it initially thought. See: Airline reveals cyber attack is worse than it thought
“People’s personal data is just that – personal,” said ICO Information Commissioner Elizabeth Denham.
“When an organisation fails to protect it from loss, damage or theft it is more than an inconvenience. That’s why the law is clear – when you are entrusted with personal data you must look after it. Those that don’t will face scrutiny from my office to check they have taken appropriate steps to protect fundamental privacy rights.”
Fiendishly cunning! The endless battle between cyber security and online criminals
Following an announcement to the London Stock Exchange that the ICO intended to fine British Airways for breaches of data protection law, the ICO confirmed that the proposed fine related to “a cyber incident notified to the ICO by British Airways in September 2018” which it said represented “infringements of the General Data Protection Regulation (GDPR)”.
It stated: “This incident in part involved user traffic to the British Airways website being diverted to a fraudulent site. Through this false site, customer details were harvested by the attackers. Personal data of approximately 500,000 customers were compromised in this incident, which is believed to have begun in June 2018.
“The ICO’s investigation has found that a variety of information was compromised by poor security arrangements at the company, including log in, payment card, and travel booking details as well name and address information.
“British Airways has cooperated with the ICO investigation and has made improvements to its security arrangements since these events came to light. The company will now have opportunity to make representations to the ICO as to the proposed findings and sanction.
British Airways B777-236ER
“ICO has been investigating this case as lead supervisory authority on behalf of other EU Member State data protection authorities. It has also liaised with other regulators. Under the GDPR ‘one stop shop’ provisions the data protection authorities in the EU whose residents have been affected will also have the chance to comment on the ICO’s findings.
“The ICO will consider carefully the representations made by the company and the other concerned data protection authorities before it takes its final decision.”
Willie Walsh, chief executive of BA’s parent company, International Airlines Group (IAG), said afterwards that British Airways would be making representations to the ICO in relation to the proposed fine, the Guardian reported.
“We intend to take all appropriate steps to defend the airline’s position vigorously, including making any necessary appeals,” he said,
The paper quoted an analyst at Hargreaves Lansdown financial service company saying the fine would make a “pretty big dent” in IAG’s financial performance.
Written by Peter Needham
.jpg){kind=tracking}