British Airways fined £183million – Our View

British Airways fined £183million after the personal details of nearly half a million customers may have been stolen – first ICO announcement of a fine under strict new GDPR data protection rules 

British Airways will have to pay a £183million fine for a data breach that saw card details of more than 380,000 customers stolen from its website and app.

The ICO has imposed the huge cash penalty on the airline (1.5% 2017 turnover) after one of the most serious cyber attacks in the UK.

Staff detected the breach and called the police where it was discovered that tens of thousands of customers had their name, billing address, email addresses, card payment information – including card number, expiry date and their CVV security code – potentially compromised. Many thousands more had their personal details taken without their CVV code captured.

British Airways chairman Alex Cruz said today the airline was ‘disappointed’ by the initial finding but the fine could increase up to £500million.

IAG chief executive Willie Walsh said it would consider appealing the fine as it seeks ‘to take all appropriate steps to defend the airline’s position vigorously’.

The data breach affected 380,000 customers who booked flights online or via the BA app between April 21 and July 28, 2018, and who used a payment card.

BA has insisted it had told customers about the security breach as soon as it could but the cyber failure is a massive blow to the airline’s once renowned reputation for customer service with some victims vowing never to use them again.

Following disclosure of the hack, BA promised to compensate affected customers and took out full-page adverts in British newspapers to apologise to passengers.

GDPR establishes the key principle that individuals must explicitly grant permission for their data to be used. Rachel Aldighieri, managing director of the Data & Marketing Association (DMA), said: ‘This is the first fine the ICO has announced under the new GDPR laws and the level of the proposed fine is unprecedented in the UK, highlighting the importance all businesses should place on the security of customers’ data.

‘Data is a fundamental part of the digital economy, so maintaining its security must be a business imperative. Trust in how brands collect, store and use data is essential to the relationship between businesses and their customers.’

Cyber security experts found the stolen credit card details were put up for sale online for between £6.94 and £38.58 and it is said that the hackers who stole the details of the British Airways customers could have raised £9.4million for Russian criminals.

Magecart, a Russian-linked criminal group, is said to be behind the data breach. The criminal group, which has run since 2015, has also targeted other major companies, including concert tickets website Ticketmaster.

Our view

This is a case that illustrates perfectly the importance of monitoring a supply chain. Taking credit or debit card details is a gateway to the possibilities of a data breach so businesses have to be absolutely sure that their third party suppliers or services are monitored and secure. Trust alone is not good enough.