British Airways Face Fine After Security Breach
The first notice of intention to issue a fine has been published by the ICO today – and it looks like they mean business.
British Airways are facing a fine of £183.39 million for a security breach reported in September last year, which allowed hackers to steal customer data. The ICO have stated that due to poor security arrangements, users of the BA website were diverted to a fraudulent site and the details of around 500,000 people were harvested, including credit card numbers and email addresses.
Despite the fact British Airways are the victims of a crime, they are being held accountable for their ‘poor security arrangements’, and they are still facing the sanction of a large fine and damage to their reputation.
Information Commissioner Elizabeth Denham said:
"People's personal data is just that - personal. When an organisation fails to protect it from loss, damage or theft, it is more than an inconvenience.
"That's why the law is clear - when you are entrusted with personal data, you must look after it. Those that don't will face scrutiny from my office to check they have taken appropriate steps to protect fundamental privacy rights.”
It’s important to note that this fine of £183.39 million is only 1.5% of BA’s annual turnover, and not the maximum possible fine of 4%. If the breach had happened 4 months earlier, the maximum fine could only have been (at most) £500,000.
It is therefore vital to make sure all steps are taken to ensure your business is compliant with GDPR. While the ICO will never issue a fine with a view to putting a company ‘out of business’, it could still be enough to create cash flow problems and job losses. Furthermore, having your name published in relation a data breach by the ICO will create significant damage to your company’s reputation, again leading to the loss of business and possible closure. In the future, if anyone searches for British Airways on Google, chances are that one of the top links will be to the ICO’s statement.
You can ensure compliance with GDPR by following the key steps in our Article.
If you have any concerns about GDPR or any queries on how we can help you with your compliance, please contact us on firstname.lastname@example.org.