The British privacy regulator has been fined £183 million or €204 million for a data breach that took place at British Airways last year. In addition, the data of 500,000 customers became public.
Specifically, this concerns a fine of 183.39 million pounds, converted to 204.54 million euros, the British privacy watchdog writes in a statement. It would be the highest fine so far handed out under the GDPR, the European privacy law that has been in force since May 2018. The amount is 1.5 percent of the company’s total annual turnover in 2018. Under the GDPR, regulators can impose a fine of up to four percent of that turnover. The fine has yet to be definitively written out, at the moment it is still a proposal.
According to the British Information Commissioner’s Office, the leak was due to “poor security measures by the company.” “People’s data is personal,” said an ICO spokesperson. “If an organization fails to protect it against loss, damage or theft, it is more than just inconvenient. That’s why the law is clear: if you are entrusted with personal data, you must handle it well.” British Airways can object to the fine within 28 days. The company has already indicated that it will. According to the ICO, the company has cooperated well with the investigation and has implemented improved security measures after the data breach.
The fine comes in response to a data breach in the summer of 2018. Hackers managed to penetrate British Airways’ systems and steal data there for weeks. It is not certain when exactly that started. British Airways said at the time that the hackers were active from August 21 to September 5, but the Information Commissioner’s Office says access was obtained as early as June. Initially, the company also said that data from 380,000 customers had been stolen, but the ICO’s investigation found that there were “about 500,000.” In the end, it turned out that in addition to names and e-mail addresses, credit card details had also been stolen. It would be the credit card numbers themselves, the expiration dates, and even the three-digit CVV codes. British Airways itself has always maintained that it does not keep the latter codes.
British Airways has publicly released few details about the nature of the leak. The company did say that “the company’s encryption has not been affected.” “It involved other methods that were very sophisticated,” said CEO Álex Cruz last year. RiskIQ security experts attributed the hack to Magecart, a form of malware that injects scripts into the payment pages of websites and web shops. Magecart was previously widely used in a hack on Ticketmaster. At that company, the hackers probably managed to crack the website via an outdated plugin.