British Airways owner International Airlines Group (LSE:IAG) edged down to 452.6p on Monday morning after revealing that it is set to receive a record fine over a customer data breach. The total proposed penalty of £189.39m would be the largest ever issued by the UK Information Commissioner’s Office (ICO) and equivalent to 1.5pc of BA’s worldwide turnover in 2018.
The fine relates to the theft of customers’ personal and financial information from the BA website and mobile app between June and September last year. The airline said around 380,000 payment cards had been compromised as part of the incident, which is linked to the Cambridge Analytica data scandal. However, the ICO said in a statement that it believes that 500,000 customers have been impacted by the incident, which was made public on 6 September and 25 October last year.
The office found that the leak arose as a result of inadequate security arrangements, with some users being diverted to a fraudulent page while attempting to access BA’s website. Here, details such as their login, payment card, and travel booking details were harvested by fraudsters.
According to the Evening Standard, Elizabeth Denham, an information commissioner at the ICO, said: ‘People’s personal data is just that – personal. When an organisation fails to protect it from loss, damage or theft it is more than an inconvenience. That’s why the law is clear – when you are entrusted with personal data you must look after it. Those that don’t will face scrutiny from my office to check they have taken appropriate steps to protect fundamental privacy rights.’
In a statement today, BA and IAG indicated that they plan to appeal against the proposed fine. Willie Walsh, IAG chief executive, said: ‘British Airways will be making representations to the ICO in relation to the proposed fine. We intend to take all appropriate steps to defend the airline’s position vigorously, including making any necessary appeals.’
Meanwhile, Alex Cruz, British Airways chairman and chief executive, added: ‘We are surprised and disappointed in this initial finding from the ICO. British Airways responded quickly to a criminal act to steal customers’ data. We have found no evidence of fraud/fraudulent activity on accounts linked to the theft. We apologise to our customers for any inconvenience this event caused.’
In response to Monday’s news, some market commentators have expressed doubt over the ICO’s intention to actually make IAG pay such a large sum. Some have accused the group of posturing and using BA’s case to send out a message to other companies regarding the strength of its new disciplinary powers. Indeed, under the previous regime, it was only allowed to fine companies up to £500,000.
That being said, it could be worse for BA – under the new regime the ICO has the power to penalise firms up to 4pc of global turnover.