The 2018 data breach of British Airways may prove to be a record-breaking data compromise with the announcement of a newly proposed $230 million fine.
The U.K. Information Commissioner’s Office (ICO) proposed the fine under the European Union General Data Protection Regulation (GDPR) following the compromise of over 500,000 customers, including their login information, credit card numbers, and addresses. The fine is equal to 1.5% of British Airways total 2017 revenue, and represents the largest GDPR penalty to date.
While British Airways alerted the ICO within the 72-hour mandatory disclosure period for data breaches, the company was accused of poor internal cybersecurity and lax protections for customer data on its website and mobile app.
“When an organization fails to protect [customer data] from loss, damage or theft, it is more than an inconvenience. The law is clear: When you are entrusted with personal data, you must look after it. Those that don’t will face scrutiny from my office to check they have taken appropriate steps to protect fundamental privacy rights,” said UK information commissioner Elizabeth Denham.
“The ICO did what data protection and other regulatory authorities usually do–pick a large and easy target, make it an example, and hope everyone else gets in line. The fact that the fine was nearly 1.5% of BA’s global turnover speaks volumes about the willingness of the ICO to push the limits of their enforcement powers,” said CyberScout Global Privacy Officer Eduard Goodman.
“The fine being imposed by the UK ICO demonstrates that security failures are taken very seriously and organizations need to prioritize data protection, security, and privacy – or pay the price. While the largest fines are saved for those organizations particularly reckless with marketing efforts, consent and other core issues, ICO is signaling zero-tolerance for the failure to safeguard private information assets,” Goodman added.
British Airways is expected to contest the fine.