British Airways to be fined for GDPR infringements
The ICO said in a statement on its web site that following an extensive investigation into a cyber incident of which it was notified by the airline September 2018, it would levy the fine, which represents 1.5% of BA’s 2017 worldwide turnover.
According to the ICO, the incident in part involved user traffic to the British Airways web site being diverted to a fraudulent site, through which customer details were harvested by the attackers. Personal data of approximately 500,000 customers was compromised in this incident, said the ICO, from June of 2018.
The statement says the office’s investigation found a variety of information was compromised through poor security arrangements at BA, details such as log in, payment card, and travel booking details, as well name and address information.
“People’s personal data is just that – personal. When an organisation fails to protect it from loss, damage or theft it is more than an inconvenience,” said Elizabeth Denham, Information Commissioner, UK. “That’s why the law is clear – when you are entrusted with personal data you must look after it. Those that don’t will face scrutiny from my office to check they have taken appropriate steps to protect fundamental privacy rights.”
The airline “cooperated with the ICO investigation” said the statement, and has made improvements to its security arrangements in the wake of the investigation. The ICO confirmed that BA will have an opportunity “to make representations” to the commissioner’s office with regard to the proposed findings and sanction.
While a substantial fine, 1.5% of the worldwide turnover in the previous year of business is substantially less than the maximum of level within the regulations of 4%.
British Airways chairman and chief executive, Alex Cruz, is quoted as saying the airline is “surprised and disappointed” with the fine.
IAG group chairman Willie Walsh has said “We intend to take all appropriate steps to defend the airline’s position vigorously, including making any necessary appeals”.