British Airways is facing a record fine of £183m ($229m) for last year’s breach of its security systems. UK’s Information Commissioner’s Office (ICO) said it was the biggest penalty it had handed out and the first to be made public under new rules.
The ICO said the incident took place after users of British Airways’ website were diverted to a fraudulent site. Through this false site, details of about 500,000 customers were harvested by the attackers, the ICO said. The incident was first disclosed on 6 September 2018 and BA had initially said approximately 380,000 transactions were affected, but the stolen data did not include travel or passport details.
The General Data Protection Regulation (GDPR) came into force last year and was the biggest shake-up to data privacy in 20 years. The penalty imposed on BA is the first one to be made public since those rules were introduced, which make it mandatory to report data security breaches to the information commissioner. It also increased the maximum penalty to 4% of turnover. The BA penalty amounts to 1.5% of its worldwide turnover in 2017, less than the possible maximum.