It would be the heaviest penalty under a strict privacy rule known as the General Data Protection Regulation, entered into force on the year. last in the European Union.
The Office of the Information Commissioner of the United Kingdom stated that low security was able to divert users' traffic from the British Airways website to a fraudulent page as of June 2018. The regulator stated that the company would have the opportunity to challenge the proposed fine.
According to the regulator, the attackers were able to collect customer data, including login information, payment cards and travel reservations. The airline revealed the incident in September 2018.
The fine of £ 183.4 million ($ 230 million) represents approximately 1.5% of British Airways' annual turnover. The carrier, which belongs to IAG (ICAGIE), said he would fight the penalty.
"We are surprised and disappointed with this first conclusion," British Airways CEO Alex Cruz said in a statement.
"British Airways responded quickly to a criminal act to steal customer data, and we found no evidence of fraud. [or] fraudulent activity on accounts related to theft, "he added.
The GDPR requires companies to ensure the security of data collection, processing and storage. Any organization that holds or uses data on individuals within the European Union is subject to the rules, regardless of its seat. Companies that break the law can be fined up to 4% of their annual income.
"People's personal data is just personal data." When an organization fails to protect it from loss, damage or theft, it's more than a drawback, "he said. said Information Commissioner Elizabeth Denham in a statement. "That's why the law is clear: when personal data is entrusted to you, you must take care of it."