British Airways faces potential €200 million GDPR fine

The UK Information Commissioner’s Office (ICO) has announced that it intends to fine British Airways for a recent infringement of the General Data Protection Regulation (GDPR). The security breach occurred when British Airways customers were directed away from the BA website to a bogus site where user data was harvested. Introduced in May 2018, GDPR is designed to give greater protection and control to individuals when it comes to the use of their personal data.

Security breaches can now be met with harsh penalties. Indeed, it is estimated that British Airways may incur a fine of €204.6 million ($229.16 million), which represents 1.5% of BA’s revenues in 2017.

The announcement follows a recent investigation into a 2018 incident that the UK’s independent information rights authority, the Information Commissioner’s Office (ICO) says exposed an estimated 500,000 customers.

According to the ICO, customers who were directed from the official British Airways website to a fraudulent site had their user data harvested. Information such as names, addresses and payment details were jeopardised, at least in part, because of BA’s weak security measures.

In a statement the UK’s Information Commissioner Elizabeth Denham reminded that GDPR seeks to protect an individual’s personal information because, it is, by its very nature, private. She said: “When an organisation fails to protect it from loss, damage or theft it is more than an inconvenience.”

What now for British Airways? Following such an announcement, the party deemed to be responsible for the breach has a maximum of 28 days to make representations to the Information Commissioner’s Office to appeal.  ICO will also consider views from the various European Union data protection authorities.

British Airways have already indicated that it intends to provide representations to the ICO and possibly appeal against the ICO’s decision. It may also appeal to the UK Information Rights Tribunal.

In a statement, current BA chairperson Alex Cruz apologised to customers, but said that; “We are surprised and disappointed in this initial finding from the ICO. British Airways responded quickly to a criminal act to steal customers’ data. We have found no evidence of fraud/fraudulent activity on accounts linked to the theft.”

British Airways is not the first high profile company to incur a significant fine following the introduction of the European General Data Protection Regulation. In early July 2018, ICO announced that it planned to fine Facebook £500,000 ($663,000) over the Cambridge Analytica scandal, which is believed to have affected up to 87 million users worldwide.

More recently, the ICO has fined a insurance company Eldon Insurance £120,000 (€149,558) for sending more than 3 million SMS texts and fined Bounty, a pregnancy and parenting club, £400,000 ($498,528) for sharing the personal data of over 14 million people.

Having been in effect for just over one year, it is clear that the necessary changes to ensure GDPR compliance have not yet been made by many data handling companies and organisations. British Airways are not the first company to fall foul of the regulation and they certainly will not be the last either.