British Airways faces a record $328 million fine over cyber theft after a hack last year that affected half a million customers — the highest penalty ever proposed under tough new data protection rules.
British Airways owner International Airlines Group (IAG) said the United Kingdom Information Commissioner's Office (ICO) intended to impose a penalty of 183.4 million pounds ($328.6 million) for the theft of customer data from the airline's website.
The airline revealed last September that the credit card details of hundreds of thousands of its customers were stolen in an attack on its website and app.
The scam saw customers diverted to a fake website where credit card details were harvested by the attackers.
Hackers stole credit card numbers, expiration and three-digit security codes, as well as names, addresses and email addresses.
Information Commissioner Elizabeth Denham said: "People's personal data is just that — personal."
"When an organisation fails to protect it from loss, damage or theft it is more than an inconvenience.
"That's why the law is clear — when you are entrusted with personal data you must look after it."
The proposed penalty equates to 1.5 per cent of British Airways' worldwide turnover for 2017.
ICO said its investigation found "poor security arrangements" by British Airways, but the airline indicated that it planned to appeal against the fine.
The penalty was the product of European data protection rules, called GDPR, that came into force in 2018. They allow regulators to fine companies up to 4 per cent of their global turnover for data protection failures.
"We are surprised and disappointed in this initial finding from the ICO," said Alex Cruz, chairman and chief executive of British Airways.
"British Airways responded quickly to a criminal act to steal customers' data. We have found no evidence of fraud [or] fraudulent activity on accounts linked to the theft," he said, adding an apology to customers for any inconvenience caused.
Willie Walsh, IAG's chief executive, said British Airways would be making representations to the ICO in relation to the proposed fine.
"We intend to take all appropriate steps to defend the airline's position vigorously, including making any necessary appeals," he said.
Source: ABC News