The Information Commissioner's Office (ICO) of the U.K. has proposed
a fine of 183.4 million British pounds ($229 million) against British Airways
for a data breach that impacted approximately 500,000 customers last year.
The fine would be levied for infringements of the European
Union's General Data Protection Regulation.
The proposed penalty relates to a data breach, which is
believed to have lasted from June to September of last year, in which user
traffic to the British Airways website was diverted to a fraudulent site. The
ICO said that after an extensive investigation, it found that poor security
arrangements at the airline led to customers having their names, addresses,
travel booking details, payment card information and log-ins compromised.
"People's personal data is just that -- personal,"
U.K. information commissioner Elizabeth Denham said in a prepared statement Monday.
"When an organization fails to protect it from loss, damage or theft, it
is more than an inconvenience. That's why the law is clear -- when you are
entrusted with personal data, you must look after it. Those that don't will
face scrutiny from my office to check they have taken appropriate steps to
protect fundamental privacy rights."
The airline told the BBC that it is "surprised
and disappointed" by the proposed fine. The ICO said that the airline has
made improvements to its security arrangements since the breach was discovered
last year. A British Airways spokesman didn't immediately respond to a
Travel Weekly email seeking comment.
British Airways will have an opportunity to respond to the
fine proposal before ICO makes a final decision. The airline is owned by
International Airlines Group, which also owns Iberia, Vueling, Aer Lingus and