British Airways could be hit with a $229 million penalty related to a data breach that occurred last year as a result of insufficient security precautions.
In a statement, the U.K. Information Commissioner’s Office (ICO) said the results of its investigation showed “poor security arrangements” were to blame for the incident, which enabled hackers to obtain credit card information, names, addresses, travel booking details, and logins for about half a million of the airline’s customers.
“People’s personal data is just that—personal. When an organisation fails to protect it from loss, damage or theft it is more than an inconvenience,” said Information Commissioner Elizabeth Denham. “That’s why the law is clear—when you are entrusted with personal data you must look after it.”
“Those that don’t will face scrutiny from my office to check they have taken appropriate steps to protect fundamental privacy rights,” Denham added.
British Airways responds
Since the breach, which began in June 2018 and was disclosed by the airline in September, the company has improved its web security. In response to the ICO’s announcement, chairman and chief executive of British Airways, Alex Cruz, said the company was “surprised and disappointed” by the group’s decision.
“British Airways responded quickly to a criminal act to steal customers’ data. We have found no evidence of fraud/fraudulent activity on accounts linked to the theft. We apologise to our customers for any inconvenience this event caused,” Cruz said.
The company now has 28 days to appeal the ICO’s initial finding, as well as the size of the fine, before the ICO makes its final call.
BBC News notes that the proposed penalty would be the largest to result from Europe’s General Data Protection Regulations (GDPR), which went into effect last year and state that companies must report data breaches to authorities within 72 hours.
“Until now, the biggest penalty was £500,000 [$644,000], imposed on Facebook for its role in the Cambridge Analytica data scandal,” according to BBC News. “That was the maximum allowed under the old data protection rules that applied before GDPR.”