British Airways Facing Record Fine after Security Breach
Reputational harm and the cost of restoring systems won’t be the only fees incurred by companies that fall victim to malicious cyberattacks. British Airways is currently facing a record $230 million fine after their website failed to protect the personal details of around 500,000 customers.
The fine faced by British Airways is the steepest imposed by Europe’s General Data Protection Regulation (GDPR), which went into effect on May 25, 2019. The EU implemented the strict measures in the wake of increased cyberattacks and data leaks, forcing companies to place consumer privacy at the forefront of all business decisions.
Under GDPR, companies are forced to make sure the way they collect, process, and store data is safe. Any company holding or using data on people residing inside the EU is subject to the regulations, regardless of where the company is based. Companies that fail to abide by these stringent rules are subject to fines up to 4% of their annual revenue. The $230 million fine British Airways is facing is roughly 1.5% of the company’s annual revenue.
The UK Commissioner’s Office attributed the attack to weak security from the British Airways website, which allowed traffic to be diverted to a fraudulent page as far back as June 2018. The lack of security allowed hackers to easily harvest sensitive material including customer log-ins and payment card information.
AIG, the carrier company of British Airways, has 28 days to appeal the penalty. AIG has openly stated that they will choose to do just that, "British Airways responded quickly to a criminal act to steal customers' data. We have found no evidence of fraud [or] fraudulent activity on accounts linked to the theft," British Airways CEO Alex Cruz said in a statement.
The fines faced by British Airways are entirely unprecedented. Until now, the steepest penalty faced by a company under the UK’s watch was a $626,000 fine on Facebook over the Cambridge Analytica scandal. This was the previous maximum penalty that could be imposed on a company before GDPR came into effect.