British Airways will have to face a record fine – £183m because of a breakthrough in security systems that led to the leak of personal data.
Regulators have explained that this is the biggest financial penalty they have imposed and it is for the first time made public by the new rules that are in place.
The airline, owned by IAG, says it is surprised and disappointed by the penalty from the Information Commissioner’s Office (ICO).
The ICO said the incident took place after users of British Airways’ website were diverted to a fraudulent site. Through this false site, details of about 500,000 customers were harvested by the attackers, the ICO said.
The incident was first disclosed on 6 September 2018 and BA had initially said approximately 380,000 transactions were affected, but the stolen data did not include travel or passport details.
BA initially said information involved included names, email addresses, credit card information such as credit card numbers, expiry dates and the three-digit CVV code found on the back of credit cards.
The £183.4m fine, the first the ICO has proposed under the new General Data Protection Regulation (GDPR), amounts to about 1.5% of British Airways’ £11.6bn worldwide turnover last year.
The ICO said the incident was believed to have begun in June 2018.
