After a data breach of the details of around 500,000 customers, IAG-owned British Airways (BA) are facing the possibility of receiving a record fine of £183.39 million, the largest ever given by the Information Commissioner’s Office (ICO).
According to BA, the company came under a ‘sophisticated, malicious criminal attack’ which resulted in the theft of customer data. Customers intending to use the BA website were instead taken to a fake website where they entered their details which were harvested by hackers. Personal and financial data was stolen with names, banking details and billing addresses all at risk but passport details remained secure. The prolonged attack is thought to have begun in June 2018 with BA submitting their incident findings in September 2018 to the ICO.
On a basic level, the GDPR is designed as a direct replacement for the Data Protection Act, which was introduced in 1995 as a UK equivalent to the EU's 1995 Data Protection Directive.
Affecting all UK companies that collect or process personal information on EU citizens, the new laws are intended to help protect the privacy and rights of individual consumers, giving data subjects more clearly delineated rights regarding what data is held about them, how it can be used, and when it should be deleted.
Although the new law reduces the overall number of principles from eight to six, the revamped regulations will be much broader in scope than the existing ones, handing the consumer greater control over their own personal data, and imposing harsh penalties on organisations that fail to comply.
Still in the dark about GDPR? Click here and check out all of our GDPR resources.
The data breach and subsequent data loss were both found by the data watchdog to be infringements of the General Data Protection Regulation (GDPR), which came into force on May 25th 2018. The organisation claimed that the stolen information was 'compromised by poor security arrangements at British Airways'.
Information Commissioner Elizabeth Denham explained: ‘When an organisation fails to protect [personal data] from loss, damage or theft, it is more than an inconvenience. That’s why the law is clear - when you are entrusted with personal data you must look after it.’.
The fine is the biggest since the GDPR came into law, overtaking the record set by the £500,000 fine handed out to Facebook in October 2018 after the Cambridge Analytica privacy case affecting nearly 87 million users.
This is not the maximum charge that could have been levied, however. Breaches of GDPR can carry penalties of up to 4% of the offending company’s annual turnover. The £183m makes up just under 1.5% of British Airways’ turnover for 2017, the year before the scandal.
BA is expected to appeal the fine, with their chairman Alex Cruz stating that the company was ‘surprised and disappointed’ with the ICO’s penalty. Willie Walsh of the IAG continued: ‘British Airways will be making representations to the ICO in relation to the proposed fine. We intend to take all appropriate steps to defend the airline’s position vigorously, including making any necessary appeals.’
It is thought by many that the significance and weight of this fine could be the first step in pushing major companies into treating the GDPR seriously, particularly when the data breach concerns so many people.
BA has 28 days to appeal the finding.
At Virtual College, we understand the importance of GDPR, and the serious implications of a company not being compliant. Therefore, we offer comprehensive GDPR courses to businesses to help them avoid a similar situation.