The UK ICO (Information Commissioner Office) has started this morning with a GDPR bang, it announced that it has fined British Airways and its parent International Airlines Group (IAG) £183.39 million ($230 million). Because of a data breach record that took place last year, the breach a whopping 500,000 customers browsing and booking tickets online.
In an investigation, the ICO said they have found that a variety of information was comprised because of no security measures. He further said that all this happen because of poor security arrangements at the company lead to the breach of credit card information, names, addresses, travel booking details, and customer’s logins. BBC News reported the fine is going to be a large sum that UK ICO has ever issued.
It is far more than the £500,000 fine against Facebook for the Cambridge Analytica scandal that affected millions. British Airways will now have 28 days to appeal the ruling before it is made final. More precisely, the fine is 1.5% of all British Airways revenue for the year that ended December 2018 is the highest-ever that the UK ICO has leveled at a company over a data breach. The implication of fine is significant because it shows that data breaches are not just a public relations liability.
It would destroy consumer trust in the organization, but a financial liability, too. The International Airline Group (IAG) is currently seeing ups and down in trading in London, with shares down 1.5% at the moment. In a statement, the two leaders of IAG defended the company and said that its own investigations found that no evidence of fraudulent activity was found on accounts linked to the theft.
Willie Walsh, International Airlines Group chief executive said “British Airways will be making representations to the ICO in relation to the proposed fine. We intend to take all appropriate steps to defend the airline’s position vigorously, including making any necessary appeals.”
The extent to which the company will hold accountable for these breaches is going to be a lot more transparent going forward. The ICO’s statement is a part of a new directive to disclose the details of its fines and investigations to the public.
“People’s personal data is just that – personal,” said Information Commissioner Elizabeth Denham in a statement. “When an organization fails to protect it from loss, damage or theft it is more than an inconvenience. That’s why the law is clear – when you are entrusted with personal data you must look after it. Those that don’t will face scrutiny from my office to check they have taken appropriate steps to protect fundamental privacy rights.”
The morning the ICO said in a statement that the fine is related to infringements of the General Data Protection Regulation (GDPR), which went into action last year prior to the breach. Moreover, the data breach involved malware on BA.com that diverted user traffic to a fraudulent site, where customer details were subsequently harvested by malicious hackers. In September British Airways notified the ICO but it had already started in June.
The ICO said that British Airways has cooperated with the ICO investigation and has made improvements to its security arrangements since then. From today’s statement issued by IAG, it seems like BA will choose to try to appeal the fine and overall ruling. There is currently a lot of questions rising how the UK will interface with the rest of the Europe regulatory cases.