The Information Commissioner's office has announced its intention to fine British Airways a record £183.39 million in relation to a data breach reported in September 2018.
The breach is thought to have commenced in June 2018, when traffic to the British Airways site was diverted to a fraudulent website to harvest personal data such as names, addresses and credit card details. British Airways described the incident as a "sophisticated, malicious criminal attack" on its systems.
Whilst British Airways has cooperated fully with the investigation, and improved its security and practices, the ICO found that at the relevant time British Airways' cyber security was poor, allowing some 500,000 customers to be affected by the cyber-attack.
It's important to note that this is only the preliminary view of the Information Commissioner's Office, setting out its intentions in relation to the breach. British Airways will be given the opportunity to comment on the proposed sanction, as will the data protection regulators from other European countries where individuals have been affected, before the decision is made final.
However, if the fine stands, it will be the largest fine imposed by the ICO and the first using its new powers under the much heralded GDPR.
The Information Commissioner Elizabeth Denham said:
“People’s personal data is just that – personal. When an organisation fails to protect it from loss, damage or theft it is more than an inconvenience. That’s why the law is clear – when you are entrusted with personal data you must look after it. Those that don’t will face scrutiny from my office to check they have taken appropriate steps to protect fundamental privacy rights.”
This is a clear message being sent to those trusted with safeguarding personal data: take data protection seriously, or face the consequences.
We have been working closely with a number of organisations to assist them in getting on top of GDPR compliance, and importantly, keeping their compliance and best practice under regular review.
If you have any data protection queries arising out of this development or would like to discuss your Data Breach Response plans further, please contact one of our team.
