British Airways is facing a £183 million (roughly $229 million USD) from the Information Commissioner’s Office (ICO) after a data breach affected about 500,000 customers.
The malicious attack, which occurred on Sept. 6, 2018, used relatively simple techniques to harvest information. Visitors to British Airways’ website were diverted to a fraudulent site, which appeared nearly identical to the official site. Hackers then used the fake site to gather information, including credit card numbers, log in information, trip itineraries, names, and addresses. This type of phishing attack can be prevented with appropriate data security practices, as the malicious actors rely on website exploits to enact their strategies.
The attack was successful, and while British Airways reportedly moved quickly to repair their site’s vulnerability, some customers reported monetary losses as a result of the attack.
“British Airways responded quickly to a criminal act to steal customers’ data,” said Alex Cruz, chief executive and chairman of British Airways. “We have found no evidence of fraud/fraudulent activity on accounts linked to the theft. We apologize to our customers for any inconvenience this event caused.”
According to ICO commissioner Elizabeth Denham, the hefty fine — a record-breaking sum — will provide an incentive for other companies to shore up their defenses.
“People’s personal data is just that — personal,” Denham told the BBC. “When an organisation fails to protect it from loss, damage or theft, it is more than an inconvenience.”
The large fine is the result of new rules in the General Data Protection Regulation (GDPR), generally considered to be the widest reaching privacy law introduced in decades. Per reportage by BBC, the GDPR allows for fines of 4 percent of a company’s annual sales volume (called “turnover” in British accounting).
The fine amount is 1.5 percent of British Airways’ turnover in 2017. The company has indicated that it will appeal the decision.
“We intend to take all appropriate steps to defend the airline’s position vigorously, including making any necessary appeals,” said Willie Walsh, the chief executive of International Airlines Group, of which British Airways is a subsidiary.
Previously, the largest fine for a data breach was £500,000 charged to Facebook during the Cambridge Analytica scandal.