British Airways faces a record $230 million fine after a website failure compromised the personal details of roughly 500,000 customers.
It would be the largest penalty yet under a tough privacy rule known as the General Data Protection Regulation, which came into force last year in the European Union.
The UK Information Commissioner’s Office said that weak security allowed user traffic to be diverted from the British Airways website to a fraudulent page starting in June 2018. The regulator said the company will have a chance to contest the proposed fine.
Attackers were able to harvest customer details including log ins, payment cards, and travel booking details, according to the regulator. The airline disclosed the incident in September 2018.
The £183.4 million ($230 million) fine is roughly 1.5% of British Airways’ annual revenue. The carrier, which is owned by IAG, said it would fight the penalty.
“We are surprised and disappointed in this initial finding,” British Airways CEO Alex Cruz said in a statement.
“British Airways responded quickly to a criminal act to steal customers’ data. We have found no evidence of fraud [or] fraudulent activity on accounts linked to the theft,” he added.
GDPR forces companies to make sure the way they collect, process and store data is safe. Any organization that holds or uses data on people inside the European Union is subject to the rules, regardless of where it is based. Companies that breach the law can be fined up to 4% of their annual revenue.
“People’s personal data is just that — personal. When an organization fails to protect it from loss, damage or theft it is more than an inconvenience,” Information Commissioner Elizabeth Denham said in a statement. “That’s why the law is clear — when you are entrusted with personal data you must look after it.”
Gita Shivarattan, data protection counsel at law firm Ashurst, said the proposed fine showed that “European data protection regulators are clearly ramping up fines for data breaches.”
“It reflects the seriousness of the regulators where there is a significant breach of GDPR obligations,” added Shivarattan.
The Information Commissioner’s Office has become an increasingly prominent regulator in the digital space. It fined Facebook £500,000 ($626,000) last year over the Cambridge Analytica scandal, the maximum allowed before GDPR came into force.
— Hadas Gold contributed reporting.