British Airways (BA) is about to be slapped with a massive fine of £183 million ($229 million) by the Information Commissioner’s Office (ICO). The penalty is for failing to secure its site and preventing the theft of some 500,000 users’ personal information in a data breach it suffered last September.
In what the airline called a “sophisticated, malicious criminal attack,” hackers stole roughly half a million customers’ data, including names, addresses, phone numbers, and payment information. The data was collected via BA’s website and app, and the attack was said to have been initiated back in June 2018. According to cybersecurity firm RiskIQ, it took just 22 lines of code for the hackers to gain access to the data in question.
That’s a hefty sum to cough up, and BA has the EU’s GDPR laws to thank for it. The privacy regulations stipulate that companies which fail to keep customers’ data safe can be fined up to 4 percent of their annual revenue. The figure of $229 million is about 1.5 percent of the airline’s global turnover from 2017 – so you could say the company actually got off lightly.
BA will have a chance to appeal the fine over the next 28 days. As the BBC noted, it’s the largest penalty imposed by the ICO since the $626,000 (£500,000) that Facebook was asked to cough up over the Cambridge Analytica scandal.
While it’s a sad day for the airline, the enormous fine should hopefully put other firms with any sort of digital infrastructure on alert to properly secure their networks and protect customers’ data.