The airline, owned by IAG, says it is “surprised and disappointed” by the penalty from the Information Commissioner’s Office (ICO).
At the time, BA said hackers had carried out a “sophisticated, malicious criminal attack” on its website.
The ICO said it was the biggest penalty it had handed out and the first to be made public under new rules.
The ICO said the incident took place after users of British Airways’ website were diverted to a fraudulent site. Through this false site, details of about 500,000 customers were harvested by the attackers, the ICO said.
Information Commissioner Elizabeth Denham said: “People’s personal data is just that – personal. When an organization fails to protect it from loss, damage or theft, it is more than an inconvenience.
“That’s why the law is clear – when you are entrusted with personal data, you must look after it. Those that don’t will face scrutiny from my office to check they have taken appropriate steps to protect fundamental privacy rights.”
The incident was first disclosed on 6 September 2018 and BA had initially said approximately 380,000 transactions were affected, but the stolen data did not include travel or passport details.
What information was stolen?
The ICO said the incident was believed to have begun in June 2018.
The watchdog said a variety of information was “compromised” by poor security arrangements at the company, including login, payment card, and travel booking details as well as name and address information.
BA initially said information involved included names, email addresses, credit card information such as credit card numbers, expiry dates and the three-digit CVV code found on the back of credit cards.
The watchdog said BA had co-operated with its investigation and made improvements to its security arrangements.
What are the new rules?
The General Data Protection Regulation (GDPR) came into force last year and was the biggest shake-up to data privacy in 20 years.
The penalty imposed on BA is the first one to be made public since those rules were introduced, which make it mandatory to report data security breaches to the information commissioner.
It also increased the maximum penalty to 4% of turnover. The BA penalty amounts to 1.5% of its worldwide turnover in 2017, less than the possible maximum.
Until now, the biggest penalty was £500,000, imposed on Facebook for its role in the Cambridge Analytica data scandal. That was the maximum allowed under the old data protection rules that applied before GDPR.
‘Sending a shiver down the spine’
I imagine that many people’s first reaction to the £183m fine that the Information Commissioner plans to levy on British Airways will have mirrored mine – surely the decimal point must be in the wrong place?
After all the proposed penalty is roughly 367 times as high as the previous record fine, the £500,000 imposed on Facebook over the Cambridge Analytica scandal.
The difference, of course, is that the law has changed between the two incidents, with the arrival of a new law mirroring Europe’s GDPR. This allows fines of up to 4% of annual turnover.
Now you might have expected the data regulator to be somewhat cautious at first in wielding this powerful new weapon but today’s news will send a shiver down the spine of anyone responsible for cybersecurity at a major corporation.
The message is clear – if you don’t treat your customers’ data with the utmost care expect severe punishment when things go wrong.
British Airways certainly appears to be stunned. But then again it could have been worse: the full 4% of turnover would have meant a fine approaching £500m.
What happens next?
BA has 28 days to appeal. Willie Walsh, chief executive of IAG, said British Airways would be making representations to the ICO.
“We intend to take all appropriate steps to defend the airline’s position vigorously, including making any necessary appeals,” he said.
Alex Cruz, British Airways’ chairman and chief executive, said the airline was “surprised and disappointed” in the ICO’s initial finding.
“British Airways responded quickly to a criminal act to steal customers’ data. We have found no evidence of fraud/fraudulent activity on accounts linked to the theft.
“We apologize to our customers for any inconvenience this event caused.”
Fraudster attempted to shop at Harrods
David Champion believes that the BA data breach probably led to his credit card being used fraudulently.
He says he was notified that his card had been used in an attempt to buy items at Harrods by phone while he was in Malaysia.
“BA is claiming there were no fraudulent transactions from the leak. My card details, I don’t think, weren’t exposed anywhere else,” he told the BBC.
The transaction was rejected and Mr. Champion was not left out of pocket.
“BA contacted me in August/September about the breach, that addresses and emails were leaked. Later they said credit card details were too,” he added.
He was worried as he knew he had used BA’s site twice and said that it was right that BA was being penalized for the incident.
Where does the money go?
The penalty is divided up between the other European data authorities, while the money that comes to the ICO goes directly to the Treasury.
It is up to individuals to claim money from BA, which provided no information on whether any compensation had been paid.
Under the regulations, authorities in the EU whose residents have been affected will also have the chance to comment on the ICO’s findings.