British Airways faces £183m GDPR fine over hack, four times Google's GDPR fine

British Airways (BA) could be slugged with a £183 million (AU$328m) fine over a data breach it disclosed in September 2018, months after the EU’s new GDOR privacy laws allowed regulators to impose fines of up to four percent of an organization’s global annual revenues.

BA in September disclosed a breach that it said at the time affected around 380,000 card payments due to a flaw in its website. The cards were affected between 21 August and 5 September, it said.  

UK privacy regulator the Information Commissioner’s Office (ICO) today said that customers visiting BA’s website were redirected to a fraudulent website where they entered payment card data that was harvested by attackers. 

The ICO estimated that around 500,000 customers were compromised in this incident and noted that it was believed to have begun in June 2018, or two months prior to the time BA originally said. 

BA, owned by IAG, said it was “surprised and disappointed” at the ICO’s proposed fine, which amounts to 1.5 percent of the airline's 2017 worldwide revenues. BA intends to appeal the proposed fine. 

“British Airways responded quickly to a criminal act to steal customers’ data. We have found no evidence of fraud/fraudulent activity on accounts linked to the theft,” said Alex Cruz, British Airways chairman and chief executive. 

“We apologise to our customers for any inconvenience this event caused.”  

The EU’s General Data Protection Regulation (GDPR) came into effect in May 2018 and BA's fine is the largest to date under the new rule, assuming it sticks.  

Facebook escaped a potential £1.2 billion fine over its treatment of user data that led to the Cambridge Analytica scandal because the leak of millions of users personal details occurred before May 2018. Facebook is challenging the ICO’s fine under pre-GDPR rules of just £500,000.   

Google meanwhile is challenging a €50 million (AU$79 million) fine issued by France in January under GDPR due to failure to gain informed consent from Android users. Until BA’s fine, Google's French fine was the biggest ever penalty issued under GDPR. 

IAG today confirmed the ICO’s statement that the number of affected customers was closer to 500,000 rather than its initial assessment of 380,000. 

IAG said it is notifying an additional 77,000 customers that their name, billing address, email address, card payment information, including card number, expiry date and CVV may have been impacted. 

A further 108,000 customers were also impacted but their card’s CVV num per was not exposed. This group were making reward bookings using a payment card between April 21 and July 28, 2018. 

The ICO said its investigation revealed “poor security arrangements” at BA overpayment card data and travel booking details. 

“People’s personal data is just that – personal. When an organisation fails to protect it from loss, damage or theft it is more than an inconvenience,” said ICO commissioner Elizabeth Denham.

“That’s why the law is clear – when you are entrusted with personal data you must look after it. Those that don’t will face scrutiny from my office to check they have taken appropriate steps to protect fundamental privacy rights.”