British Airways Fined $229 Million for 2018 Data Breach
The Information Commissioner's Office (ICO), a data security watchdog in the U.K., has fined British Airways £183 million (approximately $229 million) for the company's poor security practices that let hackers gather information about the names, email addresses and credit card numbers of 380,000 transactions and affected 500,000 customers.
The hack, which took place in June 2018, was conducted using the digital equivalent of a credit card skimmer -- injecting scripts that stole sensitive information from online payment forms or through compromised third-party suppliers. Security researchers at RiskIQ, which examined the attack, said that "only 22 lines of script victimized 380,000 people."
The ICO confirmed that the airline had cooperated with the investigation and made improvements to its security arrangements, however Alex Cruz, British Airways' chairman and chief executive, said the airline was "surprised and disappointed," according to the BBC.
"British Airways responded quickly to a criminal act to steal customers' data. We have found no evidence of fraud/fraudulent activity on accounts linked to the theft. We apologize to our customers for any inconvenience this event caused." The company still has 28 days to appeal the fine.
In a statement, Information Commissioner Elizabeth Denham said, "People's personal data is just that -- personal. When an organization fails to protect it from loss, damage or theft it is more than an inconvenience. That's why the law is clear -- when you are entrusted with personal data you must look after it. Those that don't will face scrutiny from my office to check they have taken appropriate steps to protect fundamental privacy rights."
This is reportedly the biggest fine that the ICO has levied on a company, far outweighing the £500,000 Facebook had to pay for its role in the Cambridge Analytica scandal. This is because of the General Data Protection Regulation (GDPR), which replaced the 1998 Data Protection Act and increased the maximum fine to 4 percent of a company's turnover.
British Airways' penalty is only 1.5 percent of its 2017 turnover, so it's possible we will see larger punishments given to companies in future. The money British Airways hands over will be divided up between other European data regulators, with the money the ICO receives going directly to the U.K. government.