British Airways faces a £183m ($230m) fine for exposing sensitive customer information. But the company’s leaders are vowing to fight it in open court while downplaying BA’s culpability.
Thanks to what the British Information Commissioner’s Office (ICO) called “poor security arrangements”, the personal information of 500,000 BA customers who had booked directly with the airline (myself included) were exposed, with leaked details included:
- Login info (username + password
- Stored payment information (credit or debit cards on file with BA)
- Telephone number
- Travel details
The ICO fined British Airways £183m, which is about 1.5% of net revenue and slightly less than 10% of net profit last year. Such harsh penalties are permitted under the EU’s 2018 General Data Protection Regulation (GDPR).
Addressing the fine, British Airways’ CEO Alex Cruz told The Guardian:
We are surprised and disappointed in this initial finding from the ICO. British Airways responded quickly to a criminal act to steal customers’ data. We have found no evidence of fraud/fraudulent activity on accounts linked to the theft. We apologize to our customers for any inconvenience this event caused.
Willie Walsh, CEO of BA’s parent company International Airlines Group (IAG), warned that BA would fight the fine:
We intend to take all appropriate steps to defend the airline’s position vigorously, including making any necessary appeals.
British Airways does have the right to appeal the initial ICO ruling. Among its defenses, it will argue that it was not negligent but has taken even further actions since the breach to protect customer data.
Elizabeth Denham, head of the ICO, defended the severity of her office’s fine against BA:
People’s personal data is just that – personal.When an organization fails to protect it from loss, damage or theft it is more than an inconvenience. The law is clear, when you are entrusted with personal data you must look after it. Those that don’t will face scrutiny from my office to check they have taken appropriate steps to protect fundamental privacy rights.
The ICO may simply be making an example of British Airways, but the huge fine serves as a poignant reminder of how companies must carefully guard consumer data they have been entrusted.
image: British Airways