British Airways Fined GBP183 Million for Data Breach

The UK is fining British Airways GBP£183.4 million (USD$229 million) for data protection infringements over the theft of customer booking details last year.

The UK Information Commissioner's Office (ICO) said the data theft involved user traffic to the British Airways website being diverted to a fraudulent site, where customer details were stolen.

Information was harvested from data on half a million customers, including login, payment and travel booking details, plus names and addresses. The attack, which the ICO believes started in June 2018, was due to “poor security arrangements at the company,” it said.

UK Information Commissioner Elizabeth Denham said the law is clear, “when you are entrusted with personal data you must look after it. Those that don’t will face scrutiny from my office to check they have taken appropriate steps to protect fundamental privacy rights.”

The airline’s chief executive Alex Cruz said the company is “surprised and disappointed” with the initial finding.

“British Airways responded quickly to a criminal act to steal customers’ data. We have found no evidence of fraud/fraudulent activity on accounts linked to the theft.”

Willie Walsh, the CEO of BA's parent company IAG, said the airline “will be making representations to the ICO in relation to the proposed fine.

“We intend to take all appropriate steps to defend the airline’s position vigorously, including making any necessary appeals.”

The £183 million proposed fine represents 1.5 percent of British Airways’ worldwide turnover for the financial year to end December 2017.