In September 2018, details of a massive British Airways data breach went public.
The basics of British Airways’ data breach
It was revealed that between August 21 and September 5, 2018, personal and financial details of customers using ba.com may have been compromised. Initial reports suggested that this impacted about 380,000 transactions, so that’s a significant breach.
Many of you are probably familiar with the General Data Protection Regulation (GDPR), which came into effect last year, and has some strict new guidelines for how companies have to protect consumers’ information.
British Airways facing £183m fine
British Airways is now facing the consequences of this breach under GDPR, and their fine is massive. British Airways is looking at a £183m fine from the Information Commissioner’s Office (ICO) for last year’s data breach.
This is the biggest penalty the ICO has ever handed out, and it’s the first to be made public under the new rules.
Information Commissioner Elizabeth Denham had the following to say:
“People’s personal data is just that – personal. When an organisation fails to protect it from loss, damage or theft, it is more than an inconvenience.
“That’s why the law is clear – when you are entrusted with personal data, you must look after it. Those that don’t will face scrutiny from my office to check they have taken appropriate steps to protect fundamental privacy rights.”
With GDPR, the maximum penalty for a breach like this is 4% of annual turnover. British Airways’ penalty amounts to about 1.5% of their annual turnover.
So while it’s not the maximum, it’s by far the biggest fine that has ever been levied, as previously the biggest penalty was a £500,000 fine to Facebook. This British Airways fine is nearly 370x as big as the previous biggest one.
It sure does seem like the commission is trying to make an example of British Airways here. While they’re fining within the limits, I think this will send a message to companies about the importance of safely securing customer data.
British Airways is appealing the decision
Following this ruling, British Airways has 28 days to appeal the decision.
IAG CEO Willie Walsh has said that the airline intends to appeal the decision:
“We intend to take all appropriate steps to defend the airline’s position vigorously, including making any necessary appeals.”
Meanwhile British Airways CEO Alex Cruz has said he’s “surprised and disappointed” in their findings:
“British Airways responded quickly to a criminal act to steal customers’ data. We have found no evidence of fraud/fraudulent activity on accounts linked to the theft.”
It sure seems like major data breaches have become more common in the past couple of years, rather than less common. This penalty for British Airways does seem extreme, given the previous precedent. At the same time, it doesn’t seem unreasonable in the sense that it’s not even the maximum they could be fined.
If this doesn’t send a shiver down the spine of the executive of any major company, I don’t know what will.
I’ll be curious to see if British Airways has any luck with their appeal…