LONDON (Reuters) – British Airways-owner IAG is facing a record $230 million fine for the theft of data from 500,000 customers from its website last year under tough new data-protection rules policed by the UKs Information Commissioners Office (ICO).
The ICO proposed a penalty of £183.4 million, or 1.5% of British Airways 2017 worldwide turnover, for the hack, which it said exposed poor security arrangements at the airline.
BA indicated that it planned to appeal against the fine, the product of European data protection rules, called GDPR, that came into force in 2018. They allow regulators to fine companies up to 4% of their global turnover for data-protection failures.
The attack involved traffic to the British Airways website being diverted to a fraudulent site, where customer details such as log in, payment card and travel booking details as well as names and addresses were harvested, the ICO said.
Information Commissioner Elizabeth Denham said: “Peoples personal data is just that – personal.
“When an organisation fails to protect it from loss, damage or theft it is more than an inconvenience. Thats why the law is clear – when you are entrusted with personal data you must look after it.”
BAs chairman and chief executive Alex Cruz said he was “surprised and disappointed” by the proposed penalty.
“British Airways responded quickly to a criminal act to steal customers data,” he said.
“We have found no evidence of fraud/fraudulent activity on accounts linked to the theft.”
Willie Walsh, CEO of parent company IAG, said BA would be making representations to the ICO about the proposed fine.