Information Commissioner’s Office (ICO) is proposing £183.39 million (approximately $229.64 million fine against British Airways for the data breach incident that occurred back in 2018. The incident is classified as infringements of the General Data Protection Regulation (GDPR).
Brisith Airways informed about the hacking of its website and app on September 6, 2018. “From 22:58 (BST) August 21, 2018, until 21:45 (BST) September 5, 2018, inclusive, the personal and financial details of customers making bookings on ba.com and the airline’s app were compromised,” the airline stated at the time.
User traffic to the British Airways website was diverted to a fraudulent site, through which customers’ details, including names, home and email addresses, payment card details, were harvested by the attackers, the authority outlines.
It was initially believed that the data breach affected about 380,000 card payments. Now, ICO states that approximately 500,000 customers’ details were leaked. The incident is “believed to have began” two months earlier than disclosed in BA’s initial statement ‒ in June 2018.
“British Airways has cooperated with the ICO investigation and has made improvements to its security arrangements since these events came to light,” a statement by ICO reads.
The proposed fine is not yet a final decision as British Airways will be able to make representations to the ICO as to “the proposed findings and sanction”. The company reportedly intends to make these representations.
As per EU law, GDPR infringements can be punishable by a maximum, “upper level” fine of up to €20 million, or 4% of the worldwide annual revenue of the prior financial year, whichever is higher. However, it appears that British Airways’ case falls into a “lower level” fine category, in which the maximum fine could be up to €10 million, or 2% of the worldwide annual revenue of the prior financial year, whichever is higher. ICO’s proposed $230 million fine is equal to aproimately 1.5% of British Airways’ revenue in 2017 financial year.