British Airways faces a £183m ($230m) fine for exposing sensitive customer information. But the company’s leaders are vowing to fight it in open court while downplaying BA’s culpability.
Thanks to what the British Information Commissioner’s Office (ICO) called “poor security arrangements”, the personal information of 500,000 BA customers who had booked directly with the airline (myself included) were exposed, with leaked details included:
- Login info (username + password
- Stored payment information (credit or debit cards on file with BA)
- Name
- Address
- Telephone number
- Birthdate
- Travel details
The ICO fined British Airways £183m, which is about 1.5% of net revenue and slightly less than 10% of net profit last year. Such harsh penalties are permitted under the EU’s 2018 General Data Protection Regulation (GDPR).
Addressing the fine, British Airways’ CEO Alex Cruz told The Guardian:
We are surprised and disappointed in this initial finding from the ICO. British Airways responded quickly to a criminal act to steal customers’ data. We have found no evidence of fraud/fraudulent activity on accounts linked to the theft. We apologize to our customers for any inconvenience this event caused.
Willie Walsh, CEO of BA’s parent company International Airlines Group (IAG), warned that BA would fight the fine:
We intend to take all appropriate steps to defend the airline’s position vigorously, including making any necessary appeals.
British Airways does have the right to appeal the initial ICO ruling. Among its defenses, it will argue that it was not negligent but has taken even further actions since the breach to protect customer data.
CONCLUSION
Elizabeth Denham, head of the ICO, defended the severity of her office’s fine against BA:
People’s personal data is just that – personal.When an organization fails to protect it from loss, damage or theft it is more than an inconvenience. The law is clear, when you are entrusted with personal data you must look after it. Those that don’t will face scrutiny from my office to check they have taken appropriate steps to protect fundamental privacy rights.
The ICO may simply be making an example of British Airways, but the huge fine serves as a poignant reminder of how companies must carefully guard consumer data they have been entrusted.
image: British Airways
And this is one of the reasons this BA GGL flyer started to pull away from BA (There are other reasons as well).
– The malicious code was not sophisticated!
– BA had/has a duty of care for this information and did not implement adequate measures to protect it!
– BA continues to announce ‘not our fault’!
If it happened and they accepted blame with a blah, blah, blah admission, I could be tempted to remove this as one of the reasons for me to move away from them. But to continually state ‘not our fault’ when what they did is the equivalent of saying ‘we didn’t need to set the house alarm, all the doors and windows were locked’ :O identifies BA as either being incompetent or dishonest. Either way, that’s not a company I want to keep on my preferred list.
It is amazing that the CEO of BA Alex Cruz claims he has no indication of any theft. WRONG
My card was used to pay for taxes on a reward flight and the card was hacked. BA had indicated that my account was one that was probably compromised.
It took months to get a new card and have the fraudulent charges refunded.
I complained to BA but was told to go take a hike.
If there is any email address to which I can communicate my information I would be both pleased to participate as a witness or at least refute Mr Cruz’ lias.
Spelling error – Mr Cruz’ lies
If you have evidence that your compromised card info was subsequently used for fraudulent charges, you should contact the British Information Commissioner’s Office.