The Courier & Advertiser (Fife Edition)
BA could face fine of up to £500m for data breach
Airline vows to compensate thousands of customers as it investigates ‘malicious attack’ on website
British Airways is facing a multi-millionpound fine as it grapples with the fallout of a massive data breach which the airline’s chief executive has described as a “malicious criminal attack”.
Thousands of BA customers have had to cancel their credit cards after the 15-day data hack compromised 380,000 payments.
Cyber criminals behind the attack obtained enough credit card details to use them, and the firm now faces a possible fine of around £500 million over the breach, with regulators now investigating the incident.
BA’s data breach took place after the introduction of the new Data Protection Act, which includes the provisions of the new European General Data Protection Regulation (GDPR). Under the new regulations, the maximum penalty for a company hit with a data breach is a fine of either £17m or 4% of global turnover, whichever is greater.
In the year ended December 31 2017, BA’s total revenue was £12.2 billion, meaning the company could face a fine of around £500m if the Information Commissioner’s Office (ICO) takes action.
Multiple regulators have been contacted about the data hack, including the National Crime Agency, the National Cyber Security Centre and the ICO.
An ICO spokesperson said: “British Airways has made us aware of an incident and we are making inquiries.”
Alex Cruz, BA’s chairman and chief executive, said: “There was a very sophisticated, malicious criminal attack on our website.
“We became aware initially on that day, and we began to work on it.
“We discovered that something had happened, and immediately we began to work.”
Shares in IAG, BA’s parent firm, were down more than 3% in morning trade as investors digested the news.
Mr Cruz went on to apologise for the failure, adding that BA is “100% committed” to compensating customers who are financially affected.
“We’re extremely sorry. I know that it is causing concern to some of our customers, particularly those customers that made transactions over BA.com and app.”
He added: “We know that the information that has been stolen is name, address, email address, credit card information; that would be credit card number, expiration date and the threeletter code in the back of the credit card.
“No itinerary information, no frequent flier data, no passport data has been compromised.”
BA said it was investigating the breach, which took place from 11pm on August 21 until 9.45pm on Wednesday, and is co-operating with relevant regulators.