Airline to appeal massive GDPR-related breach sanctions

British Airways faces a huge £183.39 million ($229m) fine under General Data Protection Regulation (GDPR) rules over a customer data breach last year.

The proposed fine by the Information Commissioner’s Office (ICO) – which the airline contests – relates to a breach of BA’s website that led to the exposure of customer data, including (in some cases) payment information.

Personal data of approximately 500,000 customers were compromised in this incident, reckoned to have begun in June 2018, by cybercriminals who planted malicious JavaScript code on the airline’s payment site.

BA notified the ICO of the breach, which involved user traffic to the British Airways website being diverted to a fraudulent site, in September 2018.

The unidentified cybercrooks behind the data heist used Magecart-style tactics.

The ICO’s investigation has found that a “variety of information was compromised by poor security arrangements at the company, including log in, payment card, and travel booking details as well name and address information”.

GDPR provides for fines up to 4% of the annual turnover of a breached organization.

The proposed BA penalty works out at 1.5% of its global turnover in 2017, less than the maximum possible, but still a massive increase on any fine previously imposed by the data protection watchdog.

The previous maximum fine was the £500,000 ($627,000) levied against Facebook over its role in the Cambridge Analytica data scandal.

Willie Walsh, chief executive of BA’s parent company International Airlines Group (IAG), said in a statement the airline would appeal the penalty.

British Airways, which has 28 days to appeal, said it was “surprised and disappointed” by the ICO’s stance.

“British Airways responded quickly to a criminal act to steal customers’ data. We have found no evidence of fraud/fraudulent activity on accounts linked to the theft,” said Alex Cruz, British Airways' chairman and chief executive.

“We apologize to our customers for any inconvenience this event caused.”

In a statement, the ICO said it will “consider carefully the representations made by the company and the other concerned data protection authorities before it takes its final decision”.

The ICO credited BA with co-operating with its investigation and making security improvement to its website since the breach was exposed.


RELATED: British Airways mega-breach underlines third-party script perils