The Information Commissioner’s Office (ICO) has issued British Airways with a huge penalty after the personal details of more than 500,000 customers were stolen from its website and app.
The data watchdog has told the International Airlines Group (IAG) that the fine will be equivalent to 1.5% of its worldwide turnover for 2017.
Last September, police were called after hackers launched a cyber-attack against the airline, which is owned by IAG.
Fine
Staff at the airline only notified the authorities of the incident 16 days after it started on August 21.
The General Data Protection Regulation (GDPR) came into force last year and was the biggest shake-up to data privacy in 20 years.
The penalty imposed on BA is the first one to be made public under GDPR since those rules were introduced, which makes it mandatory to report data security breaches to the information commissioner.
The largest fine dished out previously was for Facebook for its role in the Cambridge Analytica data scandal which affected 87million users. The huge sum was the maximum fine allowed under the old data protection rules that applied before GDPR.
British Airways chairman Alex Cruz said today they ‘disappointed‘ by the initial finding – despite initial warnings the fine could be up to £500 million.
The names, billing addresses, email addresses and credit card information were potentially compromised during the data breach which affected tens of thousands of people.
Hundreds of thousands of others had their personal details taken without their CVV code captured.
The airline initially said around 380,000 payment cards had been compromised, however the ICO said in a statement that the personal information of 500,000 customers had been affected.
The ICO said the incident in part involved user traffic to the site being diverted to a fraudulent site, through which the data was “harvested” by cyber attackers.
It said personal data “of approximately 500,000 customers” was “compromised by this incident“.
Mr Cruz told the Daily Mail: ‘British Airways responded quickly to a criminal act to steal customers’ data. We have found no evidence of fraud/fraudulent activity on accounts linked to the theft. We apologise to our customers for any inconvenience this event caused.’
Card skimming group Magecart, which also hit Ticketmaster, was blamed for the data breach.
The group is believed to have exploited third party scripts, possibly modified JavaScript, running on BA’s site to gain access to the airline’s payment system.
In essence, the incident in part involved user traffic to the British Airways website being diverted to a fraudulent site, where customer details were harvested by the attackers.
IAG chief executive Willie Walsh said it would consider appealing the fine as it seeks ‘to take all appropriate steps to defend the airline’s position vigorously’.
IAG is the owner of five airlines, including also Aer Lingus, Iberia, Level and Vueling, none of which were affected by the hack.
Security
The data breach affected customers who booked flights via the BA app or online between April 21 and July 28, 2018.
BA insisted it had told customers about the security breach as soon as it could.
Some victims have since vowed never to use the airline again after the cyber-attack.
The airline says it has not received any reports from customers who had had money fraudulently taken out of their accounts. The stolen data did not include passport details but did include ‘personal information’.
BA promised to compensate affected customers after the data breach and even took out full-page adverts in newspapers to apologise to its loyal customers.
The airline described the mass theft as “a very sophisticated, malicious, criminal attack on our website”.
The ICO said it was the biggest penalty it had ever handed out and was the first to be made public under new rules.
Information commissioner Elizabeth Denham told Sky News: “People’s personal data is just that – personal.
“When an organisation fails to protect it from loss, damage or theft it is more than an inconvenience.
“That’s why the law is clear – when you are entrusted with personal data you must look after it.
“Those that don’t will face scrutiny from my office to check they have taken appropriate steps to protect fundamental privacy rights.”