British Airways Faces Landmark $230 Million Data-Theft Fine

(Bloomberg) -- The U.K. plans to fine British Airways 183.4 million pounds ($230 million) over computer attacks that exposed customer data, marking the first major British application of far-reaching European Union rules requiring companies to tighten anti-hacking measures.

The proposed penalty relates to data theft affecting about 500,000 customers between June and September last year, the U.K. Information Commissioner’s Office, which protects data privacy, said in a statement Monday. BA parent IAG SA said the fine amounts to 1.5% of the airline’s 2017 revenue.

The ICO said the hack involved BA’s website traffic being diverted to a fraudulent site through which customer details were harvested, adding that security was compromised by poor protection of functions related to log-in, payment card and travel booking details, as well name and address information.

“We are surprised and disappointed in this initial finding from the ICO,” British Airways Chief Executive Officer Alex Cruz said in the statement.

IAG shares fell 1.5% to 449.9 pence at 12:13 p.m. in London. The ICO said in a statement that it will carefully consider the carrier’s position before reaching a final decision.

BA had initially said its systems were compromised from Aug. 21 through Sept. 5 and that about 380,000 transactions had been affected, with Cruz describing the attack as sophisticated, malicious and criminal. At the time, it advised people to contact credit card providers to manage the breach and said stolen data didn’t include travel or passport details.

The airline said it responded quickly and hasn’t found any evidence of fraud on accounts linked to the theft.

“We intend to take all appropriate steps to defend the airline’s position vigorously, including making any necessary appeals,“ IAG CEO Willie Walsh said in the statement.

The EU’s General Data Protection Regulation, which took effect on May 25, 2018, requires companies to take technical precautions such as encryption to ensure customer data is protected. It also states that firms must notify authorities about breaches within 72 hours after learning about them. Violations may lead to fines of as much as 4% of a company’s annual sales.

“We were expecting the ICO to hand down some pretty hefty fines to coincide with the first GDPR anniversary and it has now started to do so,” Patrick Wheeler, a lawyer at law firm Collyer Bristow, said in a statement. “The fine imposed on British Airways may be the first, but it will not be the last: several large commercial and public sector entities will all be in the ICO’s spotlight.”

To contact the reporters on this story: Anthony Palazzo in London at apalazzo@bloomberg.net;Christopher Jasper in London at cjasper@bloomberg.net

To contact the editors responsible for this story: Anthony Palazzo at apalazzo@bloomberg.net, Tara Patel, Anthony Aarons

©2019 Bloomberg L.P.