The U.K. Information Commissioner’s Office (ICO) has proposed a fine of $230 million against IAG, the owner of British Airways, over thefts of customer data that occurred in August and September 2018.
In a statement, the ICO said data for approximately 500,000 customers was compromised after hackers diverted user traffic from the British Airways website to a fraudulent site. The scammers harvested login, payment, and travel data as well as names and addresses.
“The ICO’s investigation has found that a variety of information was compromised by poor security arrangements at the company, including login, payment card, and travel booking details as well as name and address information,” the office said in a statement.
The fine is being proposed under the EU General Data Protection Regulation that went into effect in 2018 and allows regulators to fine companies up to 4% of their global turnover for data-protection failures. The proposed penalty would be 1.5% of British Airways’ 2017 global revenue.
The chief executive officer of IAG, Willie Walsh, said, the company could appeal the proposed fine.
“We intend to take all appropriate steps to defend the airline’s position vigorously, including making any necessary appeals,” Walsh said.
The ICO investigated the breaches as the lead supervisory authority for other EU member states.
IAG has more than adequate liquidity to cover the fine, but “the penalty is still substantial,” Gerald Khoo, an analyst at Liberum, said.
“We are surprised and disappointed in this initial finding,” the chairman and CEO of British Airways, Alex Cruz, stated. “British Airways responded quickly to a criminal act to steal customers’ data,” he said. “We have found no evidence of fraud or fraudulent activity on accounts linked to the theft.”
The ICO said it would “consider carefully the representations made by the company and the other concerned data protection authorities” before it takes final action.
Through the first three quarters of 2018, the Identity Theft Resource Center said, there were 932 data breaches that resulted in the exposure of more than 47 million records.
Photo: AAMIR QURESHI/AFP/Getty Images