The United Kingdom Information Commissioner’s Office (ICO) has issued British Airways a £183.39 million (A$330 million) fine after the personal data of half a million customers was compromised in 2018.
The incident occurred in June 2018, with British Airways reporting the breach to the ICO in September 2018, the ICO said in a statement on Monday (UK time).
According to the ICO, user traffic was diverted to a fraudulent website where customer details, including credit card information, were harvested by hackers.
“The ICO’s investigation has found that a variety of information was compromised by poor security arrangements at the company, including log in, payment card, and travel booking details as well name and address information,” the ICO said.
“Personal data of approximately 500,000 customers were compromised in this incident, which is believed to have begun in June 2018.
“British Airways has cooperated with the ICO investigation and has made improvements to its security arrangements since these events came to light.”
The ICO said British Airways had cooperated with the investigation and made improvements to its security arrangements since the data breach was discovered.
Further, the airline would have the opportunity to make representations in response to the proposed findings and sanction before the ICA handed down a final decision.
“People’s personal data is just that – personal,” Information Commissioner Elizabeth Denham said in a statement.
“When an organisation fails to protect it from loss, damage or theft it is more than an inconvenience.
“That’s why the law is clear – when you are entrusted with personal data you must look after it.
“Those that don’t will face scrutiny from my office to check they have taken appropriate steps to protect fundamental privacy rights.”
British Airways chief executive Alex Cruz said the airline was “surprised and disappointed” with the initial finding.
“British Airways responded quickly to a criminal act to steal customers’ data,” Cruz said in a statement issued by the airline’s parent company International Airlines Group (IAG).
“We have found no evidence of fraud/fraudulent activity on accounts linked to the theft.”
“We apologise to our customers for any inconvenience this event caused.”
IAG noted the fine represented 1.5 per cent of British Airways’ worldwide turnover in calendar 2017.
“British Airways will be making representations to the ICO in relation to the proposed fine,” IAG chief executive Willie Walsh said.
“We intend to take all appropriate steps to defend the airline’s position vigorously, including making any necessary appeals.”
British Airways is not the only carrier to have suffered a data breach in recent times. In 2018, Cathay Pacific revealed up to 9.4 million people were affected by an attack on its systems.
The Hong Kong privacy commissioner for personal data Stephen Wong said in a report handed down in July an investigation found elements of Cathay Pacific’s IT systems were “too lax” in securing passenger information in the period before the airline suffered a massive data breach.