Skip to main content

British Airways-owner IAG is facing a record US$230-million fine for the theft of data from 500,000 customers from its website last year under tough new data-protection rules policed by the U.K.’s Information Commissioner’s Office (ICO).

The ICO proposed a penalty of 183.4-million pounds, or 1.5 per cent of British Airways’ 2017 worldwide turnover, for the hack, which it said exposed poor security arrangements at the airline.

BA indicated that it planned to appeal against the fine, the product of European data protection rules, called GDPR, that came into force in 2018. They allow regulators to fine companies up to 4 per cent of their global turnover for data-protection failures.

Story continues below advertisement

The attack involved traffic to the British Airways website being diverted to a fraudulent site, where customer details such as log in, payment card and travel booking details as well as names and addresses were harvested, the ICO said.

Information commissioner Elizabeth Denham said: “People’s personal data is just that – personal.

“When an organization fails to protect it from loss, damage or theft, it is more than an inconvenience. That’s why the law is clear – when you are entrusted with personal data, you must look after it.”

BA’s chairman and chief executive Alex Cruz said he was “surprised and disappointed” by the proposed penalty.

“British Airways responded quickly to a criminal act to steal customers’ data,” he said.

“We have found no evidence of fraud/fraudulent activity on accounts linked to the theft.”

Willie Walsh, CEO of parent company IAG, said BA would be making representations to the ICO about the proposed fine.

Story continues below advertisement

“We intend to take all appropriate steps to defend the airline’s position vigorously, including making any necessary appeals,” he said.

Shares in IAG fell 0.8 per cent to 452.7 pence by 0810 GMT.

Analyst Gerald Khoo at broker Liberum said the proposed fine equated to about 9 pence for each IAG share.

“While IAG has more than adequate liquidity to cover the fine [December, 2018, cash 3.8-billion euros, total liquidity 6.3-billion euros], the penalty is still substantial,” he said.

The ICO, which could impose fines of up to 500,000 under previous rules, had also investigated BA on behalf of other European regulators.

The ICO fined Facebook 500,000 pounds in 2018 for serious breaches of data protection law. It said the penalty would have “inevitably have been significantly higher under GDPR.”

Report an error
Due to technical reasons, we have temporarily removed commenting from our articles. We hope to have this fixed soon. Thank you for your patience. If you are looking to give feedback on our new site, please send it along to feedback@globeandmail.com. If you want to write a letter to the editor, please forward to letters@globeandmail.com.

Welcome to The Globe and Mail’s comment community. This is a space where subscribers can engage with each other and Globe staff. Non-subscribers can read and sort comments but will not be able to engage with them in any way. Click here to subscribe.

If you would like to write a letter to the editor, please forward it to letters@globeandmail.com. Readers can also interact with The Globe on Facebook and Twitter .

Welcome to The Globe and Mail’s comment community. This is a space where subscribers can engage with each other and Globe staff. Non-subscribers can read and sort comments but will not be able to engage with them in any way. Click here to subscribe.

If you would like to write a letter to the editor, please forward it to letters@globeandmail.com. Readers can also interact with The Globe on Facebook and Twitter .

Welcome to The Globe and Mail’s comment community. This is a space where subscribers can engage with each other and Globe staff.

We aim to create a safe and valuable space for discussion and debate. That means:

  • Treat others as you wish to be treated
  • Criticize ideas, not people
  • Stay on topic
  • Avoid the use of toxic and offensive language
  • Flag bad behaviour

Comments that violate our community guidelines will be removed.

Read our community guidelines here

Discussion loading ...

Cannabis pro newsletter