British Airways has been fined a record $230 million for a data breach which happened last year. Confidential information of about 500,000 British Airways customers was harvested by hackers as a result of poor security practices by the airline. Citing British Airways, BBC reported that the information that was leaked included people’s names, email addresses, credit card information such as credit card numbers, expiry dates and the three-digit CVV codes. The airlines also said that the stolen data did not include travel or passport details.
The Information Commissioner's Office (ICO) says that the incident was believed to have begun in June 2018, and a variety of information was “compromised” due to the poor security arrangements at the company. The ICO also says that it is the biggest penalty it has handed out and the first to be made public under the new rules, that is, General Data Protection Regulation (GDPR), which came into effect on May 25 last year. The airline says it is “surprised and disappointed” by the penalty from the watchdog.
According to ICO, the incident took place after users of British Airways' website were diverted to a fraudulent site. “People's personal data is just that - personal. When an organisation fails to protect it from loss, damage or theft, it is more than an inconvenience. That's why the law is clear - when you are entrusted with personal data, you must look after it. Those that don't will face scrutiny from my office to check they have taken appropriate steps to protect fundamental privacy rights,” Information Commissioner Elizabeth Denham was quoted as saying.
According to the GDPR, it is mandatory for companies to report data security breaches to the information commissioner. The ICO has also increased the maximum penalty to 4 percent of turnover. In the case of British Airways, the penalty amounts to 1.5 percent of its worldwide turnover in 2017. The biggest penalty, however, has been imposed on Facebook (GBP 500,000) for its role in the Cambridge Analytica data scandal but that was before the GDPR came into effect.