British Airways faces more than £180m fine
British Airways (BA) is set to be fined £183.39 million, following a breach that resulted in the theft of customers' personal and financial data between June and September last year. Details of the breach were publicly disclosed on 6 September and 25 October 2018.
The breach occurred via the ba.com Web site, as well as the airline's mobile app. Users of the BA Web site were diverted to a fake Web site, where their details were harvested by cyber criminals.
At first, BA claimed approximately 380 000 payment cards were compromised; however, the Information Commissioner’s Office said in a statement that half a million customers were affected.
The British watchdog’s "extensive investigation" discovered that several different types of information was compromised by inadequate security measures at the airline, including login, payment card, and travel booking details, and name and address date too.
In a statement, Elizabeth Denham, information commissioner, stated that having personal data exposed was “more than an inconvenience” and said organisations need to take all necessary steps to protect their users’ privacy rights.
“People’s personal data is just that – personal. When an organisation fails to protect it from loss, damage or theft, it is more than an inconvenience. That’s why the law is clear – when you are entrusted with personal data you must look after it. Those that don’t will face scrutiny from my office to check they have taken appropriate steps to protect fundamental privacy rights,” added Denham.
BA chairman and chief executive Alex Cruz said the airline was “surprised and disappointed” by the proposed fine, and claimed the organisation has found zero evidence of fraudulent activity on any accounts linked to the incident. “British Airways responded quickly to a criminal act to steal customers’ data,” he added.
Willie Walsh, CEO of parent company IAG, said: “We intend to take all appropriate steps to defend the airline’s position vigorously, including making any necessary appeals.”
Ilia Kolochenko, founder and CEO of Web security company ImmuniWeb, said even this whopping fine may not be the end of it for BA. “There may be other legal ramifications, as other parties might still have valid claims against the airline. It is now a case of determining whose negligence or misconduct ultimately caused or facilitated the breach.”
Kolochenko added that if BA was relying only on automated vulnerability scanning for a business-critical application, a cyber security supplier that suggested such a “reckless strategy” could be liable under certain circumstances, and BA could pursue them for damages.
“In any event, this is a gloomy reminder that Web and mobile application security is crucial, and if disregarded, could end up costing a company hundreds of millions. Prompt reaction, investigation and rapid disclosure won’t be good enough to avoid formidable fines. Prevention is infinitely better than cure from financial, reputational and operation standpoints.”