The Information Commissioner’s Office (ICO) released a statement on Monday outlining its intentions to fine British Airways £183.39 million for infringements of the General Data Protection Regulation (GDPR).
The GDPR is Europe’s new framework for data protection laws which started on 25 May 2018.
The £183.39 million fine is related to a cyber incident back in September 2018, which involved user traffic to the British Airways website being diverted to a different, fraudulent, site.
It was through this fraudulent site that customer details were harvested by the attackers, the ICO said in the statement.
The incident is said to have begun in June 2018 and the personal data of roughly 500,000 customers were compromised.
According to the ICO’s investigation, a range of information was compromised by poor security arrangements at the company, such as log in, payment card, travel booking details and name and address information.
“People’s personal data is just that – personal. When an organisation fails to protect it from loss, damage or theft it is more than an inconvenience,” Information Commissioner Elizabeth Denham commented on the incident.
“That’s why the law is clear – when you are entrusted with personal data you must look after it. Those that don’t will face scrutiny from my office to check they have taken appropriate steps to protect fundamental privacy rights,” Elizabeth Denham continued.
The ICO said that British Airways has cooperated with the investigation and has made improvements to its security arrangements since the data breach.
Shares in British Airways’ owner, International Consolidated Airlines Group SA (LON:IAG), were trading 0.7% lower as of 09:31 BST.