British Airways owner IAG said on Monday the Information Commissioner’s Office (ICO) intends to impose a penalty of £183.4 million ($230 million) for the theft of customer data from the airline website last year.
The UK Information Commissioner’s Office said that weak security allowed user traffic to be diverted from the British Airways website to a fraudulent page starting in June 2018. The regulator said the company will have a chance to contest the proposed fine.
Attackers were able to harvest customer details including log ins, payment cards, and travel booking details, according to the regulator. The airline disclosed the incident in September 2018.
The £183.4 million ($230 million) fine is roughly 1.5% of British Airways’ annual revenue. The carrier, which is owned by IAG (ICAGY), said it would fight the penalty.
“We are surprised and disappointed in this initial finding from the ICO… British Airways responded quickly to a criminal act to steal customers’ data,” British Airways Chairman and Chief Executive Officer Alex Cruz, said.
“We have found no evidence of fraud/fraudulent activity on accounts linked to the theft.”
IAG said it would defend the airline’s position “vigorously”, including by making any necessary appeals.
GDPR forces companies to make sure the way they collect, process and store data is safe. Any organization that holds or uses data on people inside the European Union is subject to the rules, regardless of where it is based. Companies that breach the law can be fined up to 4% of their annual revenue.
“People’s personal data is just that — personal. When an organization fails to protect it from loss, damage or theft it is more than an inconvenience,” Information Commissioner Elizabeth Denham said in a statement. “That’s why the law is clear — when you are entrusted with personal data you must look after it.
Image: British Airways aircraft are seen at Heathrow Airport in west London, Britain.