British Airways fined $ 328 million after massive credit card data theft

The penalty is the heaviest to date under new, tougher regulations and should be considered a test for companies that fail to secure large data caches.

The British Information Commissioner proposed the fine Monday, several months after BA had revealed that she had been a victim of piracy. The scam diverted the customers to a fake website where the attackers collected the details of their credit card.

"Personal data of people are only personal data. When an organization fails to protect it from loss, damage, or theft, it's more than a drawback, "said Information Commissioner Elizabeth Denham.

"This is why the law is clear: when personal data are entrusted to you, you must take care of it."

The regulator said the proposed fine – equivalent to 1.5% of the airline's annual turnover – was the heaviest ever imposed. About a year after the Member States of the European Union began to implement the most radical change in the rules of data protection for a generation.

The General Data Protection Regulation (GDPR) was designed to make it easier for EU residents to give and withdraw permission for businesses to use personal information – but also for businesses that hold data to be held responsible for their treatment.

Authorities may fine up to 4% of annual turnover or 20 million euros ($ 32.1 million), whichever is greater, to companies that violate the rules.

The Office of the Information Commissioner stated that its BA investigation revealed that "poor security arrangements" were compromising the connection, credit card and travel booking information, as well as the names and addresses.

BA's parent company, International Airlines Group (IAG), said it would fight the proposed fine. He has 28 days to present his arguments at the first stage of the process, which could take some time.

"We intend to take all necessary measures to vigorously defend the airline's position, including making the necessary appeals," said Willie Walsh, CEO of IAG. The proposed fine is the largest imposed on the ICO since Facebook was ordered to pay £ 500,000 (£ 897,000) to allow Cambridge Analytica policy consultant to delve into the personal data of millions of unknown users. Facebook.

But Facebook's case predated the entry into force of the new GDPR rules and constituted the maximum sentence at the time of the incidents.

Monday's announcement marks a turning point for Ms. Denham's office. This is the first major foray into the new legislation when the information authorities accuse well-meaning companies of failing to comply with data protection regimes.

The fine proposed by BA could be of particular concern to companies that use a lot of data, even if their business concerns something else, such as theft of aircraft. These companies need to open up to securing their data despite the cost or scary fines, "said Emily Taylor, CEO of Oxford Information Labs, a cyber security consulting firm.

"The Information Commissioner's Office is a very big signal for the entire market," Taylor said. "This is the message: Put your house in the information security home."