The U.K.’s Information Commissioner’s Office (ICO) has slapped British Airways with a massive GDPR fine over a 2018 data breach that allowed hackers to steal the personal data on half a million passengers, the Guardian reports. The total fine amounts to £183 million (about $229.2 million).
The ICO says that data breach—which included passengers’ login details, name, address, travel bookings, and payment card information—happened because British Airways had “poor security arrangements” in place to protect passenger data. Announcing the record fine, the ICO’s information commissioner Elizabeth Denham said:
People’s personal data is just that – personal. When an organization fails to protect it from loss, damage or theft it is more than an inconvenience. The law is clear, when you are entrusted with personal data you must look after it. Those that don’t will face scrutiny from my office to check they have taken appropriate steps to protect fundamental privacy rights.
Though the GDPR fine is a record, it only accounts for 1.5% of British Airways’ £11.6 billion (about $13.7 billion) worldwide turnover last year. Under GDPR regulations, companies can be fined up to 4% of their worldwide turnover in a given year for each data breach.
British Airways says it has improved its web security since the data breach and that it is disappointed in the fine. Willie Walsh, the chief executive of BA’s parent company, International Airlines Group (IAG), said:
British Airways will be making representations to the ICO in relation to the proposed fine. We intend to take all appropriate steps to defend the airline’s position vigorously, including making any necessary appeals.