The GDPR supervisory authority, UK Information Commissioners Office (ICO), issued to British Airways the biggest GDPR penalty thus far. British Airways can submit an appeal, however while it stands, the ICO will penalize the airline an amount of £183.39 million ($228 million) for failing to implement security controls that brought about a cyberattack on its website in 2018.
The penalty exceeds the earlier record of £500,000 ($623,000) that Facebook paid in relation to the Cambridge Analytica scandal. The breach at British Airways took place after May 25, 2018, which was the EU’s General Data Protection Regulation effective date.
GDPR modified an earlier EU directive and besides introducing a variety of new privacy and security rules, higher penalties for failures in privacy and data security were implemented. For a serious GDPR violation, the maximum penalty is currently €20 million ($22.4 million) or 4% of global annual revenues, whichever is greater.
The £183 million penalty issued by ICO is equivalent to 1.5% of British Airway’s global annual revenues for 2017. The maximum penalty issued could have been approximately £500 million if BA is a holding company like International Airlines Group (IAG). IAG’s global annual revenues in 2017 amounted to €2.27 billion.
The GDPR requires entities that had a breach affecting EU citizens’ data to report the breach up to 72 hours of discovering it. British Airways publicised its breach and submitted a breach report to ICO on September 6, 2018, 24 hours after the discovery of the breach.
ICO investigated the breach and discovered security failures that allowed hackers to exploit and access BA’s website. The hackers inserted a code, which redirected site visitors to a fake website used to steal their personal data and credit/debit card information. ICO stated that approximately 500,000 customers’ personal and financial data were stolen. The breach happened from around June 2018 until September 5.
ICO did not issue the penalty for the breach itself. The fine highlights the significance of security failures, which had allowed hackers unauthorized access.
Only a ‘Notice of Intent’ was issued by ICO to fine BA. There are 28 days for BA to file an appeal. Willie Walsh, International Airlines Group’s chief executive stated their intent to take all necessary steps to protect the airline’s position, which include filing an appeal.