A record ICO intent to fine for BA’s hacker devastation – £183m

22nd July 2019

If you’ve glimpsed at the news lately, you’ll have probably seen the huge devastation that hackers have caused to British Airways for failing to protect their passengers’ data. Half a million British Airway’s passengers had their data hacked back in September 2018.

Due to the sheer volume of passengers who have been affected, the Information Commissioner’s Office (ICO) have indicatd that they intend to fine the company £183 million, a number that dwarfs the previous biggest fine of £500,000.

Why is the fine so high?

The General Data Protection Regulation (GDPR), which came into effect in May 2018, was designed to bolster the rights of citizens to appeal against the misuse of their data and empowers regulatory authorities to fine companies up to 4 per cent of their annual turnover.

And this intended £183.39 million fine is 1.5 per cent of BA’s annual £12 billion turnover.

The ICO said that the indicated fine was calculated on a mixture of the seriousness of the failings, the number of people affected and what steps the company had taken to mitigate the harm.

British Airways had previously argued that the hacking of customers’ data was a result of criminal activity and not its own IT failings. It said that it was “surprised and disappointed” by the ruling and would “vigorously” appeal. The ICO has added that BA has fully cooperated with its investigation, and has made security improvements since the breach was discovered.

What happened in the attack:

Customer information was obtained via a combination of the ba.com website and the airline’s mobile phone app. The information included names, billing addresses, email addresses and travel arrangements as well as payment card numbers and expiry dates and even the three-digit card verification value numbers that are supposed to be an anti-fraud security feature.

Passengers were told to notify their banks immediately and many ended up having to change bank and credit cards.

Why the attack happened:

The statement by the ICO indicates it believes that there was laxity in BA’s cybersecurity. It said that hackers had been able to harvest passenger details by diverting customers to a fraudulent site.

“The ICO’s investigation has found that a variety of information was compromised by poor security arrangements at the company,” the agency said. Which means that BA are the ones who have breached GDPR regulations.

Protect your business and your reputation

If you’re worried about gaps in your security or in failing to comply with complex GDPR regulations, speak to our specialists today. We pride ourselves on saving organisations like yours from these costly fines – 01673 88 55 33.

Let us ease your mind

If you have any queries, questions or requests then please get in touch. We’re always very happy to talk, you’ll find a friendly voice on the end of the line or simply fill out the form below.

    Your Contact Details

    This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.