- UK’s ICO is looking to fine British Airways harshly for the breach they suffered last year.
- The company exposed millions of its customers’ credit card details, names, email addresses, and more.
- British Airways is expected to appeal the penalizing proposal through its parent company, IAG.
The UK Information Commissioner’s Office (ICO) has announced its intention to impose a hefty fine on British Airways for last year’s customer data breach. The data was lost from the British Airways website and mobile app servers, so ICO bases its decision on the GDPR regulations that hold companies responsible for protecting the data of their customers. As Elizabeth Denham of the ICO stated about the case:
“People's personal data is just that – personal. When an organization fails to protect it from loss, damage or theft it is more than an inconvenience. That’s why the law is clear – when you are entrusted with personal data you must look after it. Those that don’t will face scrutiny from my office to check they have taken appropriate steps to protect fundamental privacy rights.”
As we reported last year, British Airways admitted to losing the data of 380000 clients who have made transactions on the company’s online platforms between August 21, 2018 and September 5, 2018, which exposed highly sensitive data such as full names, email addresses, and full credit card details (CVV codes, expiration dates, numbers). One month later, and following the internal investigation that was conducted by the UK’s flag carrier airline, they added another 185000 customers in the list, totaling 565000 people.
ICO’s subsequent investigation revealed that some had lost their login credentials as well, while not everyone has had their credit card details exposed by the breach. With a mix of different levels of information revelation, the ICO had to make a rough estimation that would reflect the case as a whole, and the final amount that they came up with is £183 million ($230 million). This announcement was met with surprise and disappointment by the British Airways, who are now called to pay what is the equivalent of approximately 12.5% of their annual net income, or roughly the cost for a brand new Boeing 787 Dreamliner.
British Airways was given 28 days to appeal against the decision as provisioned by the law, and they are expected to take this opportunity to turn things around by providing evidence that will convince ICO to reduce the amount of the fine. The chief executive of the parent company (IAG), Willie Walsh, has affirmed that they will do all things necessary to defend their position vigorously, including making all the required appeals that will drive the final figure downwards. In the same time, and as revealed by The Register, IAG is still looking to outsource the cybersecurity of British Airways to IBM and was close to sealing a deal just before the breach occurred.