British Airways could be fined just over £183 million for the data breaches which affected its systems last year.
The carrier first announced the breach on September 6, 2018, with 380,000 customers initially thought to be affected by a 15-day breach between August 21 and September 5, 2018.
This number was reduced to 244,000 in a further disclosure on October 25, although BA also said at that point that 185,000 customers had potentially been affected by a breach surrounding its reward bookings system between April 21 and July 28, 2018.
The Information Commissioner’s Office said that “The proposed fine relates to a cyber incident notified to the ICO by British Airways in September 2018. This incident in part involved user traffic to the British Airways website being diverted to a fraudulent site”.
“Through this false site, customer details were harvested by the attackers. Personal data of approximately 500,000 customers were compromised in this incident, which is believed to have begun in June 2018,” the ICO continued.
“The ICO’s investigation has found that a variety of information was compromised by poor security arrangements at the company, including log in, payment card, and travel booking details as well name and address information.”
The ICO said that the carrier “has cooperated with the ICO investigation and has made improvements to its security arrangements since these events came to light”.
In a statement provided to Business Traveller, BA’s parent company IAG said:
“Further to the theft of customer data from British Airways’ website, disclosed on September 6, 2018 and October 25, 2018, British Airways has been notified by the UK Information Commissioner’s Office (ICO) that it intends to issue the airline with a penalty notice under the UK Data Protection Act.
“The ICO has indicated that it proposes to impose a penalty of £183,390,000 (1.5 per cent of British Airways’ worldwide turnover for the financial year ended December 31, 2017).”
Commenting on the news BA’s chairman and chief executive Alex Cruz said:
“We are surprised and disappointed in this initial finding from the ICO. British Airways responded quickly to a criminal act to steal customers’ data. We have found no evidence of fraud/fraudulent activity on accounts linked to the theft. We apologise to our customers for any inconvenience this event caused.”
Meanwhile Willie Walsh, IAG’s chief executive, said:
“British Airways will be making representations to the ICO in relation to the proposed fine. We intend to take all appropriate steps to defend the airline’s position vigorously, including making any necessary appeals.”