One of the largest airlines in the world is facing a record fine, $229 million, following what the UK's privacy watchdog alleges is a violation of the European Union’s General Data Protection Regulation (GDPR).
The U.K. Information Commissioner’s Office (ICO) announced its intention to fine the airline, British Airways, on Monday in an announcement to the London Stock Exchange. The fine, £183.39m, stems from an incident the company was forced to report to the ICO, the UK's main data protection authority, last fall.
The incident, which made headlines shortly after it happened, involved the compromise of more than 500,000 card payments made through its website and mobile app in August 2018. Any travelers who made bookings or changes to bookings between August 21 and September 5 were likely involved. The airline said at the time that customers' names, billing addresses, email addresses, and bank card details may have been compromised, in addition to travel booking details.
The ICO said its investigation yielded that "poor security arrangements" were to blame for leaking the data.
If approved, the fine will easily be the largest under GDPR; the previous record, a fine against Google for $57 million, was levied in January.
The company told publications, including the Washington Post, on Monday that it was upset with the intent to fine.
"British Airways responded quickly to a criminal act to steal customers’ data. We have found no evidence of fraud/fraudulent activity on accounts linked to the theft. We apologise to our customers for any inconvenience this event caused," the company said in a statement on Monday.
The ICO reiterated that the GDPR is clear when it comes to data theft.
“People’s personal data is just that—personal. When an organisation fails to protect it from loss, damage or theft it is more than an inconvenience,” Elizabeth Denham, the Information Commissioner said Monday. “That’s why the law is clear—when you are entrusted with personal data you must look after it. Those that don’t will face scrutiny from my office to check they have taken appropriate steps to protect fundamental privacy rights.”
Under GDPR a company can be fined a maximum of 4 percent of its worldwide turnover. The British Airways fine is roughly 1.5 percent of British Airways' 2017 revenue, meaning it’s in line with the law.