Last year UK's national carrier British Airways fell prey to a cyber attack enabling the theft of thousands of its customers' data. Sensitive information such as billing address, email address, card number, card expiry date, and CVV details of roughly 500,000 customers was leaked. As a result of being unable to protect this data, the Information Commissioner's Office - UK's regulatory body - has issued the airline with a record fine of £183m ($228m).
Elizabeth Denham, Information Commissioner, spoke about the penalty issued by the ICO:
"People's personal data is just that - personal. When an organisation fails to protect it from loss, damage or theft, it is more than an inconvenience. That's why the law is clear - when you are entrusted with personal data, you must look after it. Those that don't will face scrutiny from my office to check they have taken appropriate steps to protect fundamental privacy rights."
Speaking about the fine, British Airways stated that the carrier is "surprised and disappointed" about the penalty imposed by the ICO. Alex Cruz, CEO of British Airways, commented:
"British Airways responded quickly to a criminal act to steal customers' data. We have found no evidence of fraud/fraudulent activity on accounts linked to the theft."
While it may seem like a heavy burden on British Airways, the situation could have been a lot worse. Under the data privacy laws in place, namely the General Data Protection Regulation implemented in 2018, the ICO is legally entitled to impose a fine valuing up to 4% of an entity's international turnover. If this was put into practice, the British airline would have to pay around £500m ($625m).
Starting today, British Airways has a total of 28 days to appeal the massive record-breaking fine. The company's CEO adamantly stated that the airline intends to "defend the airline's position vigorously". Only time will tell how the appeal process unfolds, and whether British Airways will be able to battle the tides of fortune successfully.