British Airways (BA) is facing a record £183.39 million ($230 million) fine over a 2018 security breach that compromised the personal data of roughly 500,000 customers.
The U.K. Information Commissioner’s Office (ICO) said that it has “issued a notice of its intention” to levy the gargantuan fine against BA, which now has 28 days to appeal before the ICO settles on a final figure.
The breach, which the ICO said it believes started back in June 2018 some three months before it was eventually reported, was the result of “poor security arrangements,” according to a statement. A fraudulent website had been set up by an unknown third party to receive redirected BA traffic, which harvested personal data such as login information, payment card details, names, addresses, and travel booking details.
GDPR regulations, which require companies to report data breaches to the appropriate European authorities within 72 hours of discovery, stipulate that local data protection agencies across the EU bloc can fine companies up to 4% of their total annual revenue. BA earned around £12.2 billion ($15 billion) last year, which means that the proposed ICO fine equates to around 1.5% of BA’s 2017 income — considerably less than the maximum.
That said, the BA fine is still the biggest by far under the GDPR regulations which came into effect last year. While a number of fines have already been issued under GDPR, they have mostly been in the tens or hundreds of thousands of euros — with one notable exception. Google was hit with a €50 million ($57 million) fine by French data privacy body CNIL back in January over a “lack of transparency” and “inadequate information” about how ads are personalized for each user. It’s worth noting that Facebook was also slapped with a £500,000 ($644,000) fine over the Cambridge Analytica episode; however, that was under the pre-GDPR regulations that were in place at the time.
“People’s personal data is just that — personal,” noted U.K. information commissioner Elizabeth Denham. “When an organization fails to protect it from loss, damage, or theft it is more than an inconvenience. That’s why the law is clear — when you are entrusted with personal data you must look after it. Those that don’t will face scrutiny from my office to check they have taken appropriate steps to protect fundamental privacy rights.”
The ICO said that BA has “made improvements to its security arrangements” since the incident was reported.
While GDPR has been a headache for many companies to comply with — with some online properties, such as newspapers, electing to go offline in Europe rather than face potentially huge fines, the regulations are designed to tighten the scope of data protection laws across the EU and ensure that internet users have the control mechanisms to manage their data — and that there are sufficient punishments in place for companies that contravene the laws. To aid with GDPR compliance, Google shifted control of its European data from the U.S. to Ireland.
As a result of GDPR and other similar regulations around the world, a number of startups are pushing to capitalize on the growing demand for data sovereignty and privacy tools. Privitar, for example, recently raised $40 million for a platform that helps enterprises engineer privacy protection into projects that may contain sensitive data. Elsewhere, InCountry launched with $7 million in funding to help multinational companies store customer data locally.