British Airways could be forced to pay millions in fines over a data breach from 2018. Britain’s Information Commissioner’s Office has passed approximately $229 million in fines to the flag carrier over the incident for violations of the European Union’s General Data Protection Regulation laws. The airline says the fines caught them “surprised and disappointed.”
British Airways could be forced to pay 1.5% of their worldwide turnover in fines if a ruling by the British Information Commissioner’s Office holds up. On Monday, July 8, 2019, the airline was handed down over $229 million in fines (£183.39 million GBP) over a data incident affecting the website in 2018.
According to British Airways, they self-reported the data breach to the ICO’s office in September 2018, once they were made aware of the situation. Hackers created a loophole where flyers were diverted to a fraudulent site. Through the hacked gateway, the criminals could have compromised personal data from those booking through the website.
How many people were affected is up for dispute: the ICO office estimates around 500,000 passengers were affected, while British Airways claims the number is closer to 380,000. In addition, International Airlines Group – British Airways’ parent company – claims the only people directly affected “were only those making reward bookings between April 21 and July 28, 2018, and who used a payment card.”
Regardless, the ICO discovered that British Airways did not adequately protect passengers using their website, allowing the hack that violated European Union General Data Protection Regulation laws. While the carrier cooperated with the investigation, the ICO found “poor security arrangements at the company” behind the website.
“When an organization fails to protect it from loss, damage or theft it is more than an inconvenience,” British information commissioner Elizabeth Denham said in the ICO press release. “That’s why the law is clear – when you are entrusted with personal data you must look after it.”
Executives for the carrier responded by saying they were “surprised and disappointed” by the ICO decision. While apologizing for the situation again, IAG announced their intentions to appeal the fees.
“British Airways will be making representations to the ICO in relation to the proposed fine,” IAG chief executive Willie Walsh said in a press release. “We intend to take all appropriate steps to defend the airline’s position vigorously, including making any necessary appeals.”
FlyerTalkers were not surprised by the fines, nor were they sympathetic. On the forums, flyers expressed support for the fines levied against British Airways.
“British Airways says it’s ‘surprised and disappointed’ by the fine,” Misco60 writes on the forums. “Much as many of us were by the data breach and the subsequent indifference that BA showed towards the affected customers.”
“Given that the previous record was [around $625,000] (according to the BBC), [around $229 million] is a huge statement,” writes FlyerTalker Oaxaca. “[It] will be interesting to see what the ICO’s reasons are for the size of the fine [in appeals].”
[Featured Image: British Airways]