The Information Commissioner’s Office has said it will seek to fine British Airways £183 million for infringements of the General Data Protection Regulation.
The proposed fine relates to a cyber incident notified to the organisation by the airline in September last year.
The incident, in part, involved user traffic to the British Airways website being diverted to a fraudulent site.
Through this false site, customer details were harvested by the attackers.
Personal data of approximately 500,000 customers were compromised in this incident, which is believed to have begun in June 2018.
Information commissioner, Elizabeth Denham, said: “People’s personal data is just that – personal.
“When an organisation fails to protect it from loss, damage or theft it is more than an inconvenience.
“That’s why the law is clear – when you are entrusted with personal data you must look after it.
“Those that don’t will face scrutiny from my office to check they have taken appropriate steps to protect fundamental privacy rights.”
The ICO said this is the biggest penalty it had ever handed out and the first to be made public under new rules.
The General Data Protection Regulation, commonly known as GDPR, came into force last year and was the biggest shake-up to data privacy in 20 years.
The investigation found that a variety of information was compromised by poor security arrangements at the company, including log in, payment card, and travel booking details as well name and address information.
British Airways cooperated with the investigation and has made improvements to its security arrangements since these events came to light, the ICO said.
The company will now have opportunity to make representations to the organisation as to the proposed findings and sanction.
The fine is equal to 1.5 per cent of British Airways’ worldwide turnover in 2017, less than the possible maximum of four per cent.
The Information Commissioner’s Office has been investigating this case as lead supervisory authority on behalf of other EU member state data protection authorities.
It has also liaised with other regulators.
Under the GDPR ‘one stop shop’ provisions the data protection authorities in the EU whose residents have been affected will also have the chance to comment on the Information Commissioner’s Office’s findings.
British Airways chief executive Willie Walsh said the airline would appeal the decision.