British Airways is faced with a record fine of £183m for the breach of its security systems last year.
Last year, the credit card details of British Airways customers were stolen from the airline’s website and app.
Approximately half a million customers had their names, addresses, credit card numbers, expiry dates and security codes stolen in the sophisticated attack that was reported to have taken place over a two-week period.
Storing payment card CVV numbers is prohibited under international standards, so security researchers speculated that the card details were intercepted, rather than harvested.
At the time, British Airways was warned that under GDPR, fines can be up to 4% of annual global revenue – which spelled a potential fine of £489m.
Yesterday, the Information Commissioner’s Office (ICO), a British regulator, announced the fine would be set at £183,390,000.
BA described the amount as both surprising and disappointing.
Information Commissioner, Elizabeth Denham, said: “People’s personal data is just that – personal. When an organisation fails to protect it from loss, damage or theft it is more than an inconvenience.
“That’s why the law is clear – when you are entrusted with personal data you must look after it. Those that don’t will face scrutiny from my office to check they have taken appropriate steps to protect fundamental privacy rights.”
Until now, the biggest penalty was £500,000, imposed on Facebook for its role in the Cambridge Analytica data scandal – the maximum allowed under the old data protection rules that applied before GDPR.