The Information Commissioner’s Office (ICO) says it intends to issue the airline with a penalty notice under the Data Protection Act. The sum represents 1.5 per cent of BA’s global turnover in 2017.
It is the largest fine so far under new data regulations. The airline and its parent company, IAG, says it will appeal.
Here are the key questions answered.
What is the background?
In the summer of 2018, cyber-criminals stole payment card details from an estimated 500,000 passengers who bought flights on the ba.com website or through the British Airways app, or made transactions involving Avios.
The personal data comprised the passenger’s name, travel plans, billing address, email address and payment card details, and the three-digit security code (“card verification value,” or CVV) from the back of the card.
At the time, British Airways told those whose data was at risk: “We are very sorry that this criminal activity has occurred. We’ll reimburse our customers who have suffered financial losses as a direct result of the theft of their payment card details.
“As a precaution we recommend you contact your bank or card provider and follow their advice.”
The airline also offered free credit and identity monitoring services.
BA now says no evidence has emerged of fraudulent activity relating to the hack.
How did it happen?
The ICO says the hack in part involved customers being diverted to a fraudulent site.
Like banks, airlines tend to have “legacy” reservation systems that have their origins deep in the 20th century. While they have been continually updated, the structure is not as robust as newer IT systems.
Many other airlines have been affected by data breaches, including the giant US airline, Delta, and Cathay Pacific of Hong Kong. In the latter case, the personal data of 9.4m customers were accessed.
The job prospects for IT security specialists have never looked better.
What does the law say?
Under the General Data Protection Regulation (GDPR), an organisation that does not protect customers’ data can be fined up to 4 per cent of annual global revenue. In 2017 that amounted to £12.2bn, making the maximum possible fine £488m.
The proposed penalty of £183.4m is significantly less, at 1.5 per cent of turnover, but with apparently no material financial harm having been caused, the size of the fine has surprised many observers – and appalled British Airways.
Alex Cruz, the airline boss, says he was “surprised and disappointed” by the ICO’s finding. After the breach, he says, BA responded quickly.
The Independent understands that the airline was expecting a fine in the region of £20m to £50m, representing to 0.16 to 0.4 per cent of turnover.
What does the Information Commissioner say?
Elizabeth Denham is making an example of British Airways, saying: “The law is clear – when you are entrusted with personal data you must look after it.
“Those that don’t will face scrutiny from my office to check they have taken appropriate steps to protect fundamental privacy rights.”
The ICO says British Airways has cooperated with its investigation and has made improvements to its security arrangements.
BA feels it has been scapegoated as a warning to other businesses, and that the fine is out of all proportion to the harm caused.
Will the fine be divided between affected passengers?
No. The penalty represents £366 for each of the customers that the ICO says was affected, but the cash goes straight to HM Treasury and into general government funds.
Will fares go up?
The proposed penalty is a significant cost to British Airways, which works out at £4 for each passenger BA will carry in 2019. But at a time of intense competition, any airline will find it difficult to increase fares without losing business to rivals.
What can travellers do to avoid having their data stolen?
After the multiple airline hacks, carriers are redoubling their efforts to protect data – in the possibly vain hope that there will be no future large-scale breaches.
The BA hacks affected only people who booked direct with the airline, not through travel agents.
Booking through an intermediary may add a layer of security, though it increases the number of organisatons with access to your data.