UK data protection regulator the Information Commissioner’s Office (ICO) has hit British Airways with a £183.39 million fine for infringing the General Data Protection Regulation (GDPR).

The proposed fine relates to a cyber incident notified to the ICO by British Airways in September 2018, in which user traffic to the BA website was diverted to a fraudulent site. Through this false site, customer details were harvested by the attackers.

The personal data of 500,000 customers were compromised in this incident

, which is believed to have begun in June 2018.

The ICO found that a variety of information was compromised by poor security arrangements at the company, including log-in, payment card and travel booking details, as well as names and addresses.

Elizabeth Denham, information commissioner, ICO, said: “The law is clear – when you are entrusted with personal data you must look after it. Those that don’t will face scrutiny from my office to check they have taken appropriate steps to protect fundamental privacy rights.”

The airline company has cooperated with the investigation and has

made improvements to its security since these events came to light

. BA will now have the opportunity to make representations to the ICO as to the proposed findings and sanction. The fine equates to £366 per person implicated and 1.5% of the airline’s worldwide turnover in 2017. GDPR allows for a maximum fine of €20 million or 4% of worldwide turnover, whichever figure is higher.

Record fine for British Airways is a ‘slap on the wrist’

The fine is roughly 367 times higher than the previous record fine under the previous data protection regime, the £500,000 imposed on Facebook over the Cambridge Analytica scandal.

Colin Truran, principal technology strategist at data protection software provider Quest, said this amount doesn’t seem that much.

 

“We need to understand that this is meant to be a slap on the wrist for the uncontrolled exposure of sensitive information for which we will never really know how it’s been used. What we really need to understand is why the failure happened, what can we all learn from this and what has BA implemented since then to improve the situation. We would also like to know what staved the hand of the ICO in not going for the full 4% fine [of BA’s annual turnover].”

Dianne Yarrow, partner and commercial solicitor at Gardner Leader solicitors, said: “Given the current GDPR guidelines it can be reasonably expected that any decision by the ICO will set a strong precedent for future large scale data breaches. Anyone who has not yet taken steps to ensure that they comply with GDPR should revisit what they need to do in the context of their business.”

The ICO has liaised with other European regulators regarding the case, and will consider the representations made by the company and other concerned data protection authorities before levying the fine.