British Airways faces a £183 million fine (AU $329 million) by the UK Information Commissioner’s Office (ICO) for breaching the EU General Data Protection Regulation (GDPR).
The ICO found that hackers infiltrated British Airways’ website and app and directed customers to an identical-looking fraudulent platform which harvested their credit card details. Approximately 500,000 customers were affected.
The GDPR has been in effect since May 2018. One of the principal requirements under the GDPR is that businesses maintain certain standards of security to protect personal data they collect or hold. Businesses are also required to report security breaches to their regulator within 72 hours of becoming aware of the breach. While British Airways reported the breach within the required time frame, the ICO still found that it had failed to implement adequate security measures in and around its online booking applications to protect their customers’ data from a cyber attack.
This is the first penalty announced by the ICO for enforcement under the GDPR. The amount represents 1.5% of British Airways’ annual turnover. Under the GDPR, businesses may be fined up to 4% of their annual turnover.
This case demonstrates the need to exercise responsible data privacy management and for businesses to ensure they are aware of and up-to-date on current cybersecurity and technology risks.
While a final penalty amount is yet to be determined and British Airways does have an opportunity to appeal, it’s expected that regulators will take a firm stance on companies who aren’t investing enough into their data security policies. As explained by Information Commissioner Elizabeth Denham, “That’s why the law is clear – when you are entrusted with personal data, you must look after it. Those that don’t will face scrutiny from my office to check they have taken the appropriate steps to protect fundamental privacy rights.”
GRC Solutions provides both off-the-shelf and bespoke training on issues surrounding privacy and data protection. To find out more about our GDPR course, contact us today.