The UK’s data privacy authority has announced it intends to levy its largest ever fine against airline British Airways (BA). The airline will have to pay £183.39 million ($230 million) to the Information Commissioner’s Office (ICO) for failing to protect its customers’ data.
In September last year, hackers stole the data of anyone who booked a flight through the BA website over a two-week period, affecting around 380,000 people. The pilfered data included login details, payment information, travel booking information, and addresses. The attack was coordinated by a well-established group who were also responsible for other security breaches like the one affecting ticket website Ticketmaster UK.
In a statement, the Information Commissioner Elizabeth Denham said that the loss of personal data is “more than an inconvenience” and said that companies should take appropriate steps “to protect fundamental privacy rights.”
“People’s personal data is just that – personal. When an organisation fails to protect it from loss, damage or theft it is more than an inconvenience. That’s why the law is clear – when you are entrusted with personal data you must look after it. Those that don’t will face scrutiny from my office to check they have taken appropriate steps to protect fundamental privacy rights.”
The airline may have responded quickly to the breach, but it is still responsible for the poor security which allowed the hackers to access the data in the first place. BA has said it intends to appeal the finding, which the ICO has said it will consider before making a final decision.