The owner of British Airways is facing a fine of £183.4m after a data breach which saw personal details belonging to 500,000 people compromised.
The Information Commissioner’s Office (ICO) has told the International Airlines Group (IAG) that BA will be penalised under the Data Protection Act, and that the fine will be equivalent to 1.5% of its worldwide turnover for 2017.
BA boss Alex Cruz said the airline was “surprised and disappointed” while IAG chief executive Willie Walsh said BA would make representations to the ICO about the scale of the fine, and could appeal it.
The record penalty is the first under tough new data protection rules that came into effect in 2018. Facebook was last year fined £500,000 by the ICO for a data breach under the old rules.
It follows the theft of customer data from BA’s website, details of which were disclosed last autumn.
The ICO said the incident in part involved user traffic to the site being diverted to a fraudulent site, through which the data was “harvested” by cyber attackers.
It said personal data “of approximately 500,000 customers” was “compromised by this incident”.
The regulator said it had found a variety of information “was compromised by poor security arrangements at the company” including log in, payment card and travel booking details as well as name and address information.
Information commissioner Elizabeth Denham said: “People’s personal data is just that – personal.
“When an organisation fails to protect it from loss, damage or theft it is more than an inconvenience.
“That’s why the law is clear – when you are entrusted with personal data you must look after it.
“Those that don’t will face scrutiny from my office to check they have taken appropriate steps to protect fundamental privacy rights.”
BA first said in September that the details of 380,000 customers had been compromised in a data theft between 21 August and 5 September, after hackers targeted users of BA.com and its mobile app – though it later said a smaller number, 244,000, were affected by this breach.
In October, a further group of 185,000 customers were notified over a cyber attack targeting people making reward bookings and those who used a payment card between 21 April and 28 July last year.
BA has apologised to those affected, many of whom had to cancel their credit cards, and offered to compensate those left out of pocket, but has come out fighting against the scale of regulatory penalty it now faces.
Mr Cruz said: “We are surprised and disappointed in this initial finding from the ICO.
“British Airways responded quickly to a criminal act to steal customers’ data.
“We have found no evidence of fraud/fraudulent activity on accounts linked to the theft.
“We apologise to our customers for any inconvenience this event caused.”
Mr Walsh said: “British Airways will be making representations to the ICO in relation to the proposed fine.
“We intend to take all appropriate steps to defend the airline’s position vigorously, including making any necessary appeals.”
Shares opened about 1% lower.
George Salmon, equity analyst at Hargreaves Lansdown, said: “The fine serves as a reminder that while one might think of data risks as more relevant to the likes of Google, Facebook and other tech giants, the new rules cover any business with customer data on board.”