UK’s Information Commissioner’s Office (ICO) has slapped a massive £183 million fine on British Airways for the breach under General Data Protection Regulation (GDPR).
The ICO carried out an extensive investigation into the cybersecurity incident which affected as many as 500,000 British Airways customers. The incident took place on September 2018, when a fraudulent website was used to harvest customer details. The attack is believed to have begun in June 2018.
ICO’s information revealed that the personal data of British Airways customers had been compromised due to poor security arrangements. The data compromised included the login, payment card, name, address information, and travel booking details.
The Information Commissioner Elizabeth Denham said: “People’s personal data is just that – personal. When an organization fails to protect it from loss, damage or theft it is more than an inconvenience. That’s why the law is clear – when you are entrusted with personal data you must look after it. Those that don’t will face the scrutiny from my office to check they have taken appropriate steps to protect fundamental privacy rights.”
Alex Cruz, Chairman, and CEO of British Airways said that the company is both surprised and disappointed by ICO’s finding. In the statement, he apologized for the inconvenience caused to the customers on the company’s behalf.