LONDON, UK: British Airways has been slapped with a record fine of $230 million after a website failure that resulted in compromised privacy of nearly 500,000 customers.
It is the biggest penalty under the tough General Data Protection Regulation (GDPR), which came into force last year in the European Union.
The Information Commissioner’s Office said that weak security allowed user traffic to be diverted from the British Airways website to a fraudulent page starting in June 2018.
The regulator said the company has the right to contest the proposed fine.
The hackers were able to retrieve customer details including logins, payment cards, and travel booking details, the regulator disclosed.
British Airways revealed about the privacy breach in September 2018.
The $230 million fine is roughly 1.5% of British Airways’ annual revenue.
“We are surprised and disappointed in this initial finding,” British Airways CEO Alex Cruz said in a statement.
“British Airways responded quickly to a criminal act to steal customers’ data. We have found no evidence of fraud [or] fraudulent activity on accounts linked to the theft,” he stressed.
The EU regulation forces companies to ensure that the data, they collect, process and store, is safe.
Any firm that stores or uses data on people inside the European Union is subject to the rules, regardless of its origin.
Companies can be fined up to 4% of their annual revenue in case of a data breach.
“People’s personal data is just that — personal. When an organization fails to protect it from loss, damage or theft it is more than an inconvenience,” Information Commissioner Elizabeth Denham said.
“That’s why the law is clear — when you are entrusted with personal data you must look after it,” she added.
Data protection counsel Gita Shivarattan said the proposed penalty shows that “European data protection regulators are clearly ramping up fines for data breaches.”
“It reflects the seriousness of the regulators where there is a significant breach of GDPR obligations,” Shivarattan reflected.