Following a cyber attack targeted at British Airways last year, the proposed GDPR penalty has reached record heights – a mind-numbing £183m. Allegedly, hundreds of thousands of customers were affected.
The victims were the users of their website, including anyone who used it between April and June 2018. During this time frame, it’s estimated that 500,000 users had their personal data harvested and some of the user traffic was redirected to fraudulent sites. Due to this, the ICO is proposing a fine of £183m under the GDPR.
Magecart, a cyber criminal group, is believed to be behind the incident. The extensive investigations are now concluded, and it was ruled that things unfolded the way they did due to the poor security arrangements that British Airways had in place.
In other words, they failed to take sufficient measures to protect the following user data:
– Credit card details
– Names and addresses
– Booking details
According to Elizabeth Denham, the information commissioner, failing to protect the users’ personal data is not merely a matter of inconvenience and the office’s scrutiny shall follow as a result.
As is to be expected, Alex Cruz, CEO of British Airways, is not happy with the verdict. Since no evidence was discovered that would point to any fraudulent activity on the affected accounts, the airline will be making the necessary appeals.
The fine of £183m is not set in stone and the ICO will consider the airline’s arguments before proceeding (the fine could still be lowered). The previous highest ICO-issued fine was £500,000, which was issued with regards to the Cambridge Analytica scandal.