July 10, 2019
British Airways is set to be fined a record £183m after a breach saw over half a million of its customer’s personal data exposed.
The breach, as described by The Information Commissioner’s Office, was first disclosed on September 6, 2018. It is said that British Airways had “poor security arrangements” in regard to its customer’s personal information.
It is said that the hack was due to a code that led customers to a fraudulent site that further extracted details and sent them to someone else other than British Airways.
Elizabeth Denham, Information Commissioner, stated: “People’s personal data is just that – personal. When an organization fails to protect it from loss, damage or theft, it is more than an inconvenience.”
Investigators at RiskIQ have come to believe that the breach has been traced back to Magecart, a group known for credit card scamming. While this is not proven, it is the best lead the ICO has so far.
The Personal data of over 380,000 customers was stolen and the cyber terrorists behind the attack were able to access enough credit card information for personal use. Several banks had no choice but to cancel these cards and distribute new ones to the affected customers. It was truly an inconvenience to both the people and the banks.
The breath-taking fine is said to be 1.5% of British Airways worldwide turnover last year and is brought forth by the UK Data Protection Act. While this is a hefty fine, it could have been worse.
The rules provided by ICO states that “the maximum penalty for a company hit with a data breach is a fine of either £17 million or 4% of global turnover, whichever is greater.” With that being said, British Airways could have suffered a fine up to 4% of their £11.6bn worldwide turnover, which would result in fines as large as £488m.
Willie Walsh, the chief executive of BA’s owner, International Airlines Group, said: “We intend to take all appropriate steps to defend the airline’s position vigorously, including making any necessary appeals.” The ICO responded by saying they will “consider carefully” any representations and appeals British Airways makes before coming to a final decision.
In regards to where the fine money ends up, it is up to the individuals affected to reach out to BA, which has not included any remarks on whether any compensation has been paid or not.
The money that goes to ICO will go directly to the Treasury, and the other penalty money will be dispersed amongst the other European data authorities.
An analyst at Hargreaves Lansdown financial service company, George Salmon, said: “The fine serves as a reminder that while one might think of data risks as more relevant to the likes of Google, Facebook and other tech giants, the new rules cover any business with customer data on board.”
This goes to show that any company that deals with customer data is fair game for penalties under the new rules. Needless to say, companies are treating this as a precautionary tool and will be taking the safety of their customer’s personal data very seriously in order to prevent large fines such as this one.