Quality Management System
British Airways is facing a record fine of £183m for last year's breach of its security systems. The airline, owned by IAG, says it was "surprised and disappointed" by the penalty from ICO.
At the time, BA said hackers had carried out a "sophisticated, malicious criminal attack" on its website. The ICO said it was the biggest penalty it had ever handed out and the first to be made public under new rules that came into effect on 25th May 2018.
The ICO said the incident took place after users of British Airways' website were diverted to a fraudulent site. Through this false site, details of around 500,000 customers were harvested by the attackers, the ICO said.
The Information Commissioner said: "People's personal data is just that - personal. When an organisation fails to protect it from loss, damage or theft, it is more than an inconvenience. That's why the law is clear - when you are entrusted with personal data, you must look after it. Those that don't will face scrutiny from my office to check they have taken appropriate steps to protect fundamental privacy rights."
The incident was first disclosed on 6th September 2018 and BA had initially said approximately 380,000 transactions were affected, but the stolen data did not include travel or passport details. The watchdog said a variety of information was "compromised" by poor security arrangements at the company, including log in, payment card, and travel booking details as well name and address information.
BA initially said information included names, email addresses, credit card information such as credit card numbers, expiry dates and the three-digit CVV code found on the back of credit cards, although BA has said it did not store CVV numbers.
The watchdog said BA had co-operated with its investigation and made improvements to its security arrangements.
BA has 28 days to appeal. Willie Walsh, chief executive of IAG, said British Airways would be making representations to the ICO. "We intend to take all appropriate steps to defend the airline's position vigorously, including making any necessary appeals," he said.
Alex Cruz, British Airways' chairman and chief executive, said the airline was "surprised and disappointed" in the ICO's initial finding. "British Airways responded quickly to a criminal act to steal customers' data. We have found no evidence of fraud/fraudulent activity on accounts linked to the theft. "We apologise to our customers for any inconvenience this event caused."