British Airways to face £183m fine from ICO over data breach

The Information Commissioner’s Office (ICO) has issued a notice of its intention to fine British Airways £183.39m over a passenger data breach.

The breach that took place last year involved customers’ credit card information, which included names, email addresses, expiry dates and the three-digit CVV code on the back of credit cards.

It involved user traffic to the British Airways website being diverted to a fraudulent site, through which the customer details were harvested by the hackers.

According to British Airways’ parent company International Airlines Group (IAG), the penalty equated to 1.5% of its worldwide turnover for 2017.

ICO will issue the penalty notice under the UK Data Protection Act.

British Airways chairman and CEO Alex Cruz said: “British Airways responded quickly to a criminal act to steal customers’ data. We have found no evidence of fraud/fraudulent activity on accounts linked to the theft.

“We apologise to our customers for any inconvenience this event caused.”

ICO issued a notice of its intention to fine following an extensive investigation. The fine will be levied for infringements of the General Data Protection Regulation (GDPR).

Information Commissioner Elizabeth Denham said: “People’s personal data is just that – personal. When an organisation fails to protect it from loss, damage or theft it is more than an inconvenience. That’s why the law is clear – when you are entrusted with personal data you must look after it.

“Those that don’t will face scrutiny from my office to check they have taken appropriate steps to protect fundamental privacy rights.”

British Airways is preparing to make necessary representations to the ICO in relation to the proposed fine.

ICO will carefully consider the company’s representations and the other data protection authorities before making a final decision.