British Airways (BA), part of the International Airlines Group (IAG) has been hit with a proposed £183 million (US$229 million) fine for a data breach which saw the credit card details, including the card number, expiry date and three-digit CVV security code, stolen from the reservations system for passengers who booked directly with the carrier over a two-week period during August and September 2018.
In addition, one month after reporting this data breach, BA confirmed that data for passengers booking through its Avios scheme between April and July 2018 was also vulnerable. Over 200,000 passengers were subsequently at risk from the August-September data breach, though BA was keen to point out that as far as it was aware, none of those whose personal data was accessed suffered any financial loss as a consequence of the data breaches.
The Information Commissioner's Office (ICO) said it intends to issue the airline with a penalty notice under the Data Protection Act, with the proposed penalty of £183.4m (US$229 million) calculated at the rate of 1.5 per cent of BA's worldwide revenue in 2017, and which equates in this instance to approximately £4.00 (US$5.00) per passenger projected to use the airline this year. Maximum penalties can extend to 4% of a company's total global revenue under newly changed rules. The Information Commissioner, Elizabeth Denham, said: “People's personal data is just that – personal. When an organization fails to protect it from loss, damage or theft, it is more than an inconvenience. That's why the law is clear – when you are entrusted with personal data you must look after it. Those that don't will face scrutiny from my office to check they have taken appropriate steps to protect fundamental privacy rights.” IAG chief executive, Willie Walsh, said: “British Airways will be making representations to the ICO in relation to the proposed fine. We intend to take all appropriate steps to defend the airline's position vigorously, including making any necessary appeals.”