British Airways is facing a fine of 183.39 million pounds
from the U.K. Information Commissioner's Office for infringements of the
General Data Protection Regulation.
The fine relates to personal data of almost 500,000
customers compromised beginning in June 2018 via a fraudulent site to which
users of the British Airways site were redirected. British Airways notified the
ICO of the incident last September, after which there was an "intensive
investigation," according to the ICO.
British Airways chairman and CEO Alex Cruz said he was
surprised at the size of the fine, as the carrier "responded quickly"
and "found no evidence of fraud/fraudulent activities on accounts linked
to the theft," according to Reuters. The carrier now has a chance to
present its case to the ICO before the office issues its final decision.
Data protection firm GlobalData head of research and
analysis Nick Wyatt said 183 million pounds is a record fine but could have
been even higher. The figure represents 1.5 percent of the carrier's net sales;
GDPR laws permit fines as high as 4 percent, he said.
"The ICO's strict enforcement of the new rules will
have sent a huge shiver down the spine of many a CEO as it demonstrates the
ever-present threat of a large financial penalty for any company holding
customer data," according to Wyatt. "The size of BA's fine must serve
as a wake-up call for other companies, many of whom are still highly vulnerable
to cyberattacks themselves."