Last year, British Airways suffered a data breach affecting an estimated 500,000 people. Now that the Information Commissioner’s Office has investigated the incident, BA has been issued with a proposed fine. The fine amounts to £183 million.
The fine comes as a huge blow to British Airways, as it has been calculated to comprise 1.5% of the worldwide turnover for the financial year ending on 31 December 2017. However, It will likely also set a precedent, as the first such fine to be issued since GDPR regulations came into force last year.
What happened to cause the fine?
The proposed fine of £183 million is the result of a data breach affecting up to 500,000 people. It has been reported that poor security arrangements led to customers being directed to a fraudulent website. According to the Information Commissioner’s office, this included “log-in, payment card, and travel booking details, as well [as] name and address information”.
The data breach is believed to have begun in June 2018, having been discovered by the airline in September of that year. At the time that the breach was discovered, British Airways said that it could have affected customers that used the website from August 21st until September 5th. These dates are how the airline calculated that 380,000 individual transactions had potentially been compromised.
A sizeable fine
The fine being proposed is certainly fairly sizeable for the airline. In fact, the amount was calculated by the Information Commissioner’s Office to account for 1.5% of BA’s worldwide turnover for the financial year ending on 31 December 2017. Bloomberg reports that fines can comprise up to 4% of a company’s sales for the year.
However, the fine amounts to even more looking at British Airways’ 2018 numbers. In fact, for the year up until 31st December 2018, BA’s operating profit after exceptional items was €2,655 million. This equates to roughly £2,380 million. All in all, £183 million accounts for 7.7% of the £2,380 million figure from 2018.
British Airways intends to appeal the fine
Simple Flying contacted a British Airways representative who forwarded our request to IAG, BA’s owners. IAG told us that their CEO, Willie Walsh, said,
“British Airways will be making representations to the ICO in relation to the proposed fine. We intend to take all appropriate steps to defend the airline’s position vigorously, including making any necessary appeals.”
Meanwhile, British Airways CEO Alex Cruz added,
“We are surprised and disappointed in this initial finding from the ICO. British Airways responded quickly to a criminal act to steal customers’ data. We have found no evidence of fraud/fraudulent activity on accounts linked to the theft. We apologise to our customers for any inconvenience this event caused.”
At the moment the fine is only proposed. However, the Information Commissioner, Elizabeth Denham, told Flight Global,
“When an organisation fails to protect it from loss, damage or theft it is more than an inconvenience. That’s why the law is clear. When you are entrusted with personal data you must look after it.”
What do you make of the proposed fine? Is it too harsh or too lenient? Let us know in the comments!