British Airways faces a record $230 million fine after a website breakdown compromised the personal data of around 500,000 customers. It would be the highest penalty yet under a strict privacy rule called the General Data Protection Regulation (GDPR), which came into force a year ago in the European Union. The UK Information Commissioner’s Office stated that weak security allowed user traffic to be diverted from the British Airways website to a fake page starting in June 2018. The regulator stated that the company would have a chance to challenge the proposed fine. Attackers were able to gather customer’s personal details, including payment cards, logins, and travel booking details, according to the regulator. The airline revealed this incident in September 2018.
The $230 million fine is roughly around 1.5% of British Airways’ yearly revenue. The carrier, which is owned by International Airlines Group (ICAGY), stated that it would undoubtedly fight the penalty. “We are disappointed and surprised in this early finding,” British Airways, CEO Alex Cruz said in an announcement. “British Airways responded quickly to a criminal act to steal customers’ data. We have found no evidence of fraudulent activity on accounts associated with the theft,” he stated. GDPR forces companies to ensure that the way they process, collect, and store data is safe. Any institution that uses or holds information on people inside the European Union is subject to the regulation, irrespective of where it is based. Companies that violate the law can be fined up to 5% of their annual revenue.
“When an organization fails to shield it from loss, theft, or damage, it is more than a problem,” Information Commissioner Elizabeth Denham said in an announcement. “That’s why the law is made clear; when you are entrusted with personal info, you must look after it,” added Denham. The Information Commissioner’s Office has progressively become a major regulator in the digital space. It fined Facebook of around $626,000 last year over the Cambridge Analytica outrage, the maximum allowed before GDPR came in the force.