British Airways fined incredible Sh23.5b after customer data stolen

For more than two weeks last year hackers stole data from anyone booking flights on British Airways' website.

And now, as a result, the airline has been hit with an eye-watering Sh23.5 billion (£183,390,000) penalty - a fine so large British Airways described it as both surprising and disapointing.

Information Commissioner Elizabeth Denham said: “People’s personal data is just that – personal. When an organisation fails to protect it from loss, damage or theft it is more than an inconvenience.

"That’s why the law is clear – when you are entrusted with personal data you must look after it. Those that don’t will face scrutiny from my office to check they have taken appropriate steps to protect fundamental privacy rights.”

British Airways chief executive Alex Cruz said: "We are surprised and disappointed in this initial finding from the ICO.

"British Airways responded quickly to a criminal act to steal customers' data. We have found no evidence of fraud/fraudulent activity on accounts linked to the theft.

"We apologise to our customers for any inconvenience this event caused."

The penalty notice is worth 1.5 per cent of British Airway's worldwide turnover, and comes as a result of the UK Data Protection Act.

The Information Commissioner's Office’s investigation found a variety of information was compromised by poor security arrangements at BA, including log in, payment card and travel booking details as well name and address information.

The ICO said British Airways has cooperated with their investigation and made improvements to its security arrangements since these events came to light.

British Airways said it planned to appeal if possible.

Willie Walsh, chief executive of BA's parent company the International Airlines Group, said: "British Airways will be making representations to the ICO in relation to the proposed fine.

"We intend to take all appropriate steps to defend the airline's position vigorously, including making any necessary appeals."

The ICO said it will "consider carefully" the representations BA makes as well as other concerned data protection authorities before it takes its final decision.

The other authorities include EU member state data protection bodies and UK regulators - with GDPR provisions meaning EU countries with residents affected also having the chance to comment on the ICO’s findings.

Last year the airline said the personal and financial details of customers who made bookings on its website or app from 10.58pm on August 21 until 9.45pm on September 5 had been compromised.

More than 380,000 people may have been caught up in the data breach.

Cyber criminals behind the attack obtained enough credit card details to use them, with many banks forced to cancel and re-issue cards as a result of the stolen data.

Researchers at digital security experts RiskIQ claim to have traced the British Airways breach to Magecart, a credit card skimming group.

This is the group also believed to be behind the Ticketmaster hack back in June, and in the case of BA, a similar technique appears to have been employed.

Magecart appears to have been able to inject malicious code into the set-up of the payment sections of the British Airways website. This code then ‘skims’ the card and personal details of people shopping on the site, details they can then attempt to use to commit fraud.

But while the fine is huge, it might have been bigger still - with the rules saying, the maximum penalty for a company hit with a data breach is a fine of either £17 million or 4 per cent of global turnover, whichever is greater.