British Airways may be forced to pay $229 million to some half a million customers who flew with the carrier last August and early September. Numbers of affected passengers have fluctuated from estimates of 244,000 and 380,000, but those numbers are now believed to total out at some 500,000 following a data breach created by a false site that diverted traffic from the airline’s official website and managed to collect personal data. The site was believed to have started these activities on June 18, 2018.
“People’s personal data is just that – personal. When an organization fails to protect it from loss, damage or theft it is more than an inconvenience. That’s why the law is clear – when you are entrusted with personal data you must look after it. Those that don’t will face scrutiny from my office to check they have taken appropriate steps to protect fundamental privacy rights,” said Information Commissioner Elizabeth Denham in a statement.
The Information Commissioner’s Office (ICO), an independent oversight authority in the U.K., notes the carrier’s cooperation in investigating the matter and says it has found that a variety of information was compromised by poor security arrangements at the company, including log in, payment card, and travel booking details as well name and address information.
The ICO will seek to fine British Airways £183 (about $229 million) for infringements of the General Data Protection Regulation. The ICO said this was the biggest penalty it had ever handed out and the first to be made public under new rules. British Airways has made improvements to its security arrangements since these events came to light, the ICO said.
British Airways chief executive Willie Walsh said the airline would appeal the decision.