The UK Information Commissioner’s Office (ICO) has revealed it is preparing to sanction a GDPR penalty against British Airways for a recent data privacy breach.
The security infringement took place when British Airways customers were sent from the official BA website to a spoofed site where user data was harvested. Introduced in May 2018, GDPR was developed to give greater protection and control to people when it comes to how their personal data is used or shared.
Security breaches will now result in harsh penalties under the new GDPR regime. It is calculated that British Airways may incur a fine of €204.6 million ($229.16 million), which represents 1.5% of BA’s revenues in 2017.
The announcement comes after a recent investigation into a 2018 incident, that the UK’s Information Commissioner’s Office (ICO) says exposed the personal data of an estimated 500,000 customers of BA.
ICO said that customers who were sent from the official British Airways website to a fraudulent site had their user data harvested. Information including names, addresses and payment details were jeopardised, at least in part, because of BA’s security flaws.
The UK’s Information Commissioner Elizabeth Denham released a statement which read: “When an organisation fails to protect it from loss, damage or theft it is more than an inconvenience.”
Following an announcement like this, the party deemed at fault for the the breach has up to 28 days to make arguments to ICO for an appeal. ICO will also take into account views from the various European Union data protection bodies.
British Airways has already said that it will provide representations to appeal the decision to ICO and is also considering an appeal to the UK Information Rights Tribunal.
BA chairperson Alex Cruz apologised to customers saying: “We are surprised and disappointed in this initial finding from the ICO. British Airways responded quickly to a criminal act to steal customers’ data. We have found no evidence of fraud/fraudulent activity on accounts linked to the theft.”
British Airways is not the first large multinational company to incur a significant fine since the introduction of GDPR. In early July 2018, ICO revealed that intended to penalize Facebook to the tune of £500,000 ($663,000) in relation to the Cambridge Analytica scandal, which is thought to have impacted up to 87 million users globally.
In the last few months, ICO has penalized insurance company Eldon Insurance £120,000 (€149,558) for sharing more than 3 million SMS texts and fined Bounty, a pregnancy and parenting group, £400,000 ($498,528) for sharing the personal data of over 14 million individuals.