British Airways could face a penalty of £183.39 million (€204.6 million) — 1.5% of British Airways' revenues in 2017 — after a security breach of customer data.
The UK Information Commissioner's Office (ICO) announced that it intends to fine the airline for infringement of the General Data Protection Regulation (GDPR), an EU law implemented in 2018 to protect user data.
The notice of intent to fine comes after an investigation into a 2018 incident that the UK's independent information rights authority says compromised roughly 500,000 customers.
The customers were directed from the British Airways site to a fraudulent website where user data was harvested, according to the ICO. The independent authority said that payment, travel booking, name and address information were compromised in part because of poor security practices.
"People’s personal data is just that – personal. When an organisation fails to protect it from loss, damage or theft it is more than an inconvenience," said Information Commissioner Elizabeth Denham in a statement.
British Airways has 28 days to provide representations to the ICO to appeal. The UK's information commissioner will also consider views from EU data protection authorities.
The airline plans to make representations to the ICO and potentially appeal the decision of the ICO. They can appeal to the UK Information Rights Tribunal.
"We are surprised and disappointed in this initial finding from the ICO. British Airways responded quickly to a criminal act to steal customers’ data. We have found no evidence of fraud/fraudulent activity on accounts linked to the theft," British Airways chairman Alex Cruz said.
"We apologise to our customers for any inconvenience this event caused,” he continued in a statement.
Which other organisations have been fined for data breach?
The ICO previously fined Facebook £500,000 (€557,535) over the Cambridge Analytica scandal that affected as many as 87 million users worldwide. At the time, this was the maximum allowed penalty, which the commissioner did not consider sufficient.
Within the past three months, the ICO has fined a payment protection insurance company £120,000 (€133,843) for sending over 3 million spam texts and fined a pregnancy and parenting club £400,000 (€446,094) for sharing personal information of more than 14 million people.
The GDPR and new UK data protection act entered into effect in May 2018. The GDPR allows maximum fines of up to €20 million or 4% of global turnover.