British Airways is facing a nearly $230 million dollar fine after it suffered an online data breach back in June 2018. Hackers compromised log ins, payment card numbers, travel booking details, names and addresses.
The UK's Information Commissioner's Office issued a statement Monday saying the airline infringed the General Data Protection Regulation, better known as GDPR.
The GDPR is the European Commission's revamped rules on data protection. It went into effect back in May 2018.
All companies operating in the European Union have to comply with the GDPR. That means, among other things, companies have to receive "affirmative consent" from users before giving up their data. If a company chooses to transfer the data outside the EU, it has to alert the user. And if a breach does happen, a company can be punished for having lax security.
That's the case in this instance. According to the ICO statement, British Airways' breach was caused by its own "poor security arrangements."
Information Commissioner Elizabeth Denham said quote "People’s personal data is just that – personal. When an organisation fails to protect it from loss, damage or theft it is more than an inconvenience. That’s why the law is clear – when you are entrusted with personal data you must look after it.”
The chairman and chief executive of British Airways said in a statement the company is "surprised and disappointed" by the ruling and will take “all appropriate steps to defend the airline’s position vigorously, including making any necessary appeals."
This $230 million dollar fine is setting a precedent in more ways than one.
It's the first penalty to publicly come down since the GDPR was enacted.
It's also the largest penalty we've seen on data breaches, beating out the Cambridge Analytica scandal that cost Facebook over $625,000.
The ICO says British Airways has cooperated with its investigation, adding it will keep that in mind before making its final decision on the penalty.