British Airways is facing a £183.39 million fine over a data breach affecting payment data for around 380,000 of its customers, under the General Data Protection Regulation (GDPR).
British Airways contacted customers back in September 2018 to confess that it had been the victim of a data breach which saw personally identifiable information (PII) on some 380,000 customers accessed by persons unknown - including the card verification value (CVV) digits required to use credit card details in a cardholder-not-present transaction. Under Payment Card Industry (PCI) standards CVV digital must be discarded immediately after use, which British Airways had been doing; unfortunately the attack saw the MageCart malware installed on the payment portal itself, allowing the capture of CVVs before they were discarded.
At the time, British Airways chair and chief executive Alex Cruz stated that his company was 'deeply sorry for the disruption that this criminal activity has caused,' but that mea culpa doesn't seem to have given the Information Commissioner's Office (ICO) cause to go easy on the company: It has announced it will levy a £183.39 million fine under the General Data Protection Regulation (GDPR) for the company's failings.
'People’s personal data is just that – personal. When an organisation fails to protect it from loss, damage or theft it is more than an inconvenience,' explains Information Commissioner Elizabeth Denham of the fine. 'That’s why the law is clear – when you are entrusted with personal data you must look after it. Those that don’t will face scrutiny from my office to check they have taken appropriate steps to protect fundamental privacy rights.'
Prior to the European Union's General Data Protection Regulation (GDPR), data breaches of this nature were subject to the Data Protection Act which capped the maximum fine at £500,000; the GDPR increased this limit to £17.92 million or four percent of a company's annual global turnover, whichever is greater.
British Airways has confirmed it plans to appeal the ruling, with Cruz claiming to be 'surprised and disappointed' at the ICO's decision.
March 25 2020 | 14:00