The UK Information Commissioner’s Office (ICO) intends to fine British Airways, owned by International Consolidated Airlines (IAG) more than £183m for infringement of the General Data Protection Regulation (GDPR) following a cyber attack last year, making this the first and largest proposed fine under the GDPR from the ICO.
The ICO was notified of the cyber attack in September last year, but it was believed to have begun in June 2018, resulting in compromised personal data of approximately 500,000 customers. The attack involved diverting user traffic from the British Airways website to a fraudulent site, where attackers recorded personal data. The regulator determined that British Airways had poor security arrangements in place, including for the log-in procedure, payment card, travel booking details, name and address information. British Airways has since made improvements to its security arrangements.
IAG chief executive Willie Walsh said he intends to take all appropriate steps to defend the airline’s position “vigorously”, including appealing the decision. British Airways chairman and chief executive, Alex Cruz, said the company is “surprised and disappointed” in the ICO’s finding, as he believed that the airline responded quickly to the data breach, and no evidence of fraudulent activity on customers’ accounts has been found. The £183m fine represents 1.5 per cent of British Airway’s worldwide turnover for the 2017 financial year.
