The U.K. Information Commissioner’s Office (ICO) may fine British Airways with £183.39 million ($230 million) after the airline failed to protect its customers’ data. The proposed fine relates to a data breach notified to the ICO by British Airways in September 2018, that exposed around 500,000 customers’ personal information.
The ICO said its investigation found that the breach compromised customer details, including login, payment card, name, address, and travel booking information which is collected after being diverted to a fraudulent website. The data breach, which began in June 2018, occurred due to the poor security measures to protect customer information, ICO stated.
“People’s personal data is just that – personal. When an organization fails to protect it from loss, damage or theft it is more than an inconvenience. The law is clear, when you are entrusted with personal data you must look after it. Those that don’t will face scrutiny from my office to check they have taken appropriate steps to protect fundamental privacy rights,” said the information commissioner, Elizabeth Denham.
Commenting on the proposed penalty Alex Cruz, the chair and chief executive of British Airways, said, “We are surprised and disappointed in this initial finding from the ICO,” “British Airways responded quickly to a criminal act to steal customers’ data. We have found no evidence of fraud/fraudulent activity on accounts linked to the theft. We apologize to our customers for any inconvenience this event caused.”
The British Airways made an announcement regarding the breach on September 6, 2018. It notified its customers that “From 22:58 BST August 21, 2018, until 21:45 BST September 5, 2018, inclusive, the personal and financial details of customers making or changing bookings on our website and app were compromised.” Around 380,000 payment-card details were stolen during the period. The airline has notified the police and investigations are underway. The airlines also assured that it will compensate for all the losses to its customers.
Recently, a research report stated that a hacker group dubbed Magecart were responsible for the data breach on British Airways. According to the security researcher Yonathan Klijnsma from cybersecurity company RiskIQ, the attackers allegedly used a skimming script, a malicious code, designed to steal the data from the British Airways website.
RiskIQ stated that they’ve discovered some similarities in the British Airways situation and the Ticketmaster heist that happened in June. The hackers used a similar approach in both the cases and RiskIQ thinks it could be performed by the same group of hackers, according to the researcher.