BA fined £183m over computer theft of passenger data

BA parent group IAG said the UK Information Commissioner's Office intends to issue the airline with a penalty notice under the U
BA parent group IAG said the UK Information Commissioner's Office intends to issue the airline with a penalty notice under the UK Data Protection Act, of £183.39 million

The UK's data privacy watchdog has fined British Airways more than £183 million after computer hackers last year stole bank details from hundreds of thousands of passengers, the pair said on Monday.

The UK Information Commissioner's Office (ICO) said it had issued a notice of its intention to fine BA £183.39 million ($229.7 million, 205 million euros) for infringements of EU data protection rules, or GDPR.

"People's personal data is just that—personal," Information Commissioner Elizabeth Denham said in a statement.

"When an organisation fails to protect it from loss, damage or theft it is more than an inconvenience. That's why the law is clear —when you are entrusted with personal data you must look after it," she added.

In a separate statement, BA's parent group IAG said the fine was equivalent to 1.5 percent of British Airways' turnover in 2017. Companies can be fined up to four percent of annual global turnover for breaching EU data protection rules.

The fine is equivalent to more than 7 percent of IAG's net profit last year.

IAG chief executive Willie Walsh said it would consider appealing the penalty as it seeks "to take all appropriate steps to defend the airline's position vigorously".

BA's CEO Alex Cruz said the airline was "surprised and disappointed" by the punishment.

"British Airways responded quickly to a criminal act to steal customers' data," he said in the statement.

"We have found no evidence of fraud/fraudulent activity on accounts linked to the theft. We apologise to our customers for any inconvenience this event caused," Cruz added.

Shares in IAG were down 1.0 percent following the announcement and in early trading on London's benchmark FTSE 100 index, which was down 0.25 percent overall.

Personal data of approximately 500,000 customers were compromised, beginning in June 2018, the ICO said Monday.

This was shortly after the European Union introduced its tighter data protection law, the General Data Protection Regulation (GDPR).

BA meanwhile publicly revealed the hack in September.

The stolen data comprised customer names, postal addresses, email addresses and credit card information.

However the 15-day breach, which was fixed on discovery, did not involve travel or passport details.

Following disclosure of the hack, BA promised to compensate affected customers and took out full-page adverts in the UK newspapers to apologise to passengers.

It had meanwhile described the mass theft as "a very sophisticated, malicious, criminal attack on our website".

IAG is the owner of five airlines, including also Aer Lingus, Iberia, Level and Vueling, none of which were affected by the hack.

GDPR establishes the key principle that individuals must explicitly grant permission for their data to be used.

The case for the new rules had been boosted by a scandal over the harvesting of Facebook users' data by Cambridge Analytica, a US-British political research firm, for the 2016 US presidential election.


Explore further

BA scrambles to address theft of passenger bank details

© 2019 AFP

Citation: BA fined £183m over computer theft of passenger data (2019, July 8) retrieved 21 July 2019 from https://phys.org/news/2019-07-ba-fined-183m-theft-passenger.html
This document is subject to copyright. Apart from any fair dealing for the purpose of private study or research, no part may be reproduced without the written permission. The content is provided for information purposes only.
0 shares

Feedback to editors

User comments

Please sign in to add a comment. Registration is free, and takes less than a minute. Read more