British regulators announced intentions to fine British Airways $230 million (£183m) for a data breach that impacted close to 500,000 customers.
The Information Commissioner’s Office (ICO) plans to impose the record fine as a result of infringements of the General Data Protection Regulation (GDPR) law. GDPR is the European Union data protection law introduced in May of 2018.
British Airways previously disclosed the data breach that occurred between August and September 2018. Approximately 500,000 customers who visited their website (ba.com) and mobile app were diverted to a fake website. Consequently, hackers were then able to harvest and steal sensitive data, such as log in, payment card, travel booking details, name and address information.
The IOC cited “poor security arrangements” and also said organizations entrusted with personal data have a responsibility to protect individuals’ privacy.
“People’s personal data is just that – personal. When an organisation fails to protect it from loss, damage or theft it is more than an inconvenience. That’s why the law is clear – when you are entrusted with personal data you must look after it. Those that don’t will face scrutiny from my office to check they have taken appropriate steps to protect fundamental privacy rights,” Information Commissioner Elizabeth Denham stated in the press release.
British Airways has also cooperated with the ICO investigation and has improved its security controls since the security incidents were discovered. The company will also have a chance to appeal and present its arguments to the ICO in regards to the proposed findings and sanction.
British Airways parent company, International Airlines Group, also said the company will “intend to take all appropriate steps to defend the airline’s position vigorously, including making any necessary appeals.”
The proposed GDPR fine comes after a French data protection watchdog imposed nearly a $57 million fine earlier this year against Google for violating GDPR privacy rules.