After investigating the incident, the UK Information Commissioner’s Office (ICO) concluded that “security deficiencies in the company” led to the loss of information such as personal data, bank details, besides flights, reservations and logins for more than half a million airline customers.
If the ICO’s decision is applied as intended, this would be the largest fine imposed after an information security incident in UK history, a record so far held by Facebook, due to the Cambridge Analytica scandal. British Airways has one month to appeal the data regulator’s decision. “The theft of personal information is a very serious incident, companies should take better measures to protect the privacy of their users,” said Elizabeth Denham, British Information Commissioner.
According to data protection experts, just a year ago the ICO imposed a historic fine for Facebook (more than £500k) due to non-compliance with user data protection, granting access to multiple third party companies, including the analysis firm Cambridge Analytica; this is estimated to have affected more than 80 million social media users.
The ICO added that the fine for Facebook was the maximum amount allowed by the UK Data Protection Act, passed in 1998. “The incident occurred when GDPR was not yet in effect,” she said. The European Union General Data Protection Regulation (GDPR) establishes significantly higher fines for data breach incidents; under the new law, a company can be fined for up to 4% of its annual revenue.
On the other hand, a spokeswoman for the airline stated that British Airways was “surprised and deeply disappointed” by the ICO’s decision. “There is no evidence to prove any kind of fraudulent activity on accounts affected by the data breach”, the spokesman said.
Despite the company’s annoyance, data protection experts from the International Institute of Cyber Security (IICS) say British Airways has been collaborating on ICO research, as well as implementing security measures recommended by British data watchdogs.