UPDATE
A record $230 million fine has been proposed against British Airways after a 2018 data breach impacted 500,000 of the airline’s customers. If approved, the fee would be the biggest General Data Protection Regulation (GDPR) fine to be issued to a company so far.
On Monday, the Information Commissioner’s Office (ICO), a U.K. privacy watchdog organization, said it will fine British Airways £183.39 million ($230.5 million) for infringements of GDPR. Privacy experts say that the penalty represents a “wake-up” call for companies when it comes to ramifications for data privacy incidents.
“Companies need to do a better job assessing and managing the risk associated with third parties in their cyber supply chain,” Matan Or-El, CEO of Panorays said in an email. “The £183 million fine that British Airways is facing is likely just the tip of the iceberg for what is to come, and should serve as a wake-up call for organizations that GDPR is here and being enforced.”
The fine would be the largest levied by GDPR, surpassing previous ones including a fine against Google for $57 million; as well as other precious ICO penalties including fines for Facebook of $645,000 that stemmed from Cambridge Analytica’s data harvesting practices; and fines for Equifax of $645,000 for the company’s failure to protect 15 million U.K. citizens in a 2017 cyberattack.
After GDPR restrictions were enforced (May 2018), the rules allow for maximum penalties of as much as 4 percent of a company’s global turnover. British Airways said in a statement that the penalty proposed by ICO represents 1.5 percent of its worldwide turnover for the financial year ended 31 December 2017.
When asked where the money from the fine will go, an ICO spokesperson told Threatpost:”All monetary penalty notices issued by the ICO go to the Treasury.”
British Airways said in a statement that it “intends to take all appropriate steps to defend the airline’s position vigorously, including making any necessary appeals.”
“We are surprised and disappointed in this initial finding from the ICO,” Alex Cruz, British Airways chairman and chief executive, said in a statement sent to Threatpost. “British Airways responded quickly to a criminal act to steal customers’ data. We have found no evidence of fraud/fraudulent activity on accounts linked to the theft. We apologise to our customers for any inconvenience this event caused.”
The fine stems from a data breach, reported by the airline on September 2018, of its website and mobile app. The breach exposed the personal and financial details of 500,000 customers – including name, address and bank card details like CVC code – who made bookings on its website (ba.com) and the airline’s app.
It is believed that British Airways was first hit by the data breach in June 2018. In September 2018, the company said approximately 380,000 card payments were compromised due to the data breach. That number increased to 500,000 in October 2018, when the airline said that the data breach it first reported in September is larger than previously thought.
Researchers told Threatpost that the campaign can be attributed to Magecart with “medium-high confidence.” The Magecart group, in operation since 2015, has been blamed for an array of recent breaches, including one of the most prolific card-stealing operations seen in the wild to date, as well as a massive breach of Ticketmaster earlier in the year. The Magecart threat group was able to load digital card skimmer script from the baggage claim information page on the British Airways website; meaning that when a user hit the button to submit their payment on the compromised British Airways site, the data from their payment card and their name was extracted and sent to the attacker’s server.
The ICO said that it will “consider” any appeals made by British Airways and representations from other concerned data protection authorities before making a final decision regarding the fine.
“People’s personal data is just that – personal. When an organisation fails to protect it from loss, damage or theft it is more than an inconvenience,” said Information Commissioner Elizabeth Denham in a statement. “That’s why the law is clear – when you are entrusted with personal data you must look after it. Those that don’t will face scrutiny from my office to check they have taken appropriate steps to protect fundamental privacy rights.”
This article was updated on July 9 at 8:46 am ET to include further comment by the ICO.