Britain’s Information Commissioner’s Office (ICO) imposed a record fine of £183.4 million ($230 million) on British Airways over breach of privacy laws. The fine is speculated to be about 1.5% of the airways’ annual revenue. The CEO of the airlines, Alex Cruz, called the ICO’s decision surprising and disappointing. The company, owned by IAG (ICAGY), said that it transfer of information is not the company’s fault as its website got hacked by the hackers, who had carried out a “sophisticated, malicious criminal attack”. The airlines claimed to fight the penalty.
Last year, BA’s website broke down leading to leakage of the personal details of roughly 500,000 customers to a fraudulent site, which was created in June 2018. The British regulator penalised the company for the security lapse and not following strict data security system, which gave the attackers access to customer details including logins, payment cards, and travel booking details. The airline revealed the incident in September 2018.
Information Commissioner Elizabeth Denham said: “People’s personal data is just that – personal. When an organisation fails to protect it from loss, damage or theft, it is more than an inconvenience.
“That’s why the law is clear – when you are entrusted with personal data, you must look after it. Those that don’t will face scrutiny from my office to check they have taken appropriate steps to protect fundamental privacy rights.”
Cruz issued a statement saying, “British Airways responded quickly to a criminal act to steal customers’ data. We have found no evidence of fraud [or] fraudulent activity on accounts linked to the theft.”
ICO said that it is the biggest penalty levied so far by the body and first to be executed as per the new rules.
“There is no grace period,” James Dipple-Johnstone, the deputy commissioner of the UK’s data protection authority. “We will be looking at the algorithms they use to profit off data to make sure they are fair,” he added.
ICO imposed the fine as per the new rule i.e. General Data Protection Regulation (GDPR) which was adopted last year in European Union to ensure the way companies’ gather information, process and store data is safe. Any organization that holds data of EU citizens, falls in the ambit of this rule irrespective of its base. As per the rule, companies which violate the privacy clause could be fined up to 4% of their annual revenue.