July 15, 2019
On 8 July, the ICO published a statement in response to an announcement by British Airways to the London Stock Exchange that the ICO intends to fine British Airways for breaches of data protection law.
The ICO explains that following an extensive investigation, it issued a notice of its intention to fine British Airways £183.39 million for infringements of the General Data Protection Regulation (GDPR).
The ICO says that the proposed fine relates to a cyber incident notified to the ICO by British Airways in September 2018. This incident in part involved user traffic to the British Airways website being diverted to a fraudulent site. Through this false site, customer details were harvested by the attackers. Personal data of approximately 500,000 customers were compromised in this incident, which is believed to have begun in June 2018.
The ICO’s investigation found that a variety of information was compromised by poor security arrangements at the company, including log in, payment card, and travel booking details, as well name and address information.
The ICO says that British Airways cooperated with the ICO investigation and has made improvements to its security arrangements since these events came to light. The company will now have the opportunity to make representations to the ICO as to the proposed findings and sanction.
The ICO has been investigating this case as lead supervisory authority on behalf of other EU Member State data protection authorities. It has also liaised with other regulators. Under the GDPR “one stop shop” provisions the data protection authorities in the EU whose residents have been affected will also have the chance to comment on the ICO’s findings.
The ICO says that it will consider carefully the representations made by the company and the other concerned data protection authorities before it takes its final decision. To read the ICO’s statement in full, click here.