British Airways faces a whopping £183.39 million ($US230 million) fine over a data breach in 2018 that saw the personal data of 500,000 customers compromised.
The record fine proposed by the UK Information Commissioner’s Office, an independent authority set up to uphold information rights, is for breaches of the European Union’s General Data Protection Regulation.
The airline says it will pursue all avenues of appeal.
It involves an incident reported in September 2018, in which user traffic was diverted to a fraudulent website where customer details, including credit card information, were harvested by hackers.
The incident is believed to have begun in June of that year.
“People’s personal data is just that – personal information,” Information Commissioner Elizabeth Denham said in a statement.
“When an organization fails to protect it from loss, damage or theft it is more than an inconvenience.
“That’s why the law is clear – when you are entrusted with personal data you must look after it.
“Those that don’t will face scrutiny from my office to check they have taken appropriate steps to protect fundamental privacy rights.”
The ICO said BA had co-operated with the investigation and subsequently made improvements to security arrangements.
It said the airline would now have the opportunity to make representations about the penalty and these would be considered carefully.
BA chief executive Alex Cruz told UK media the airline was surprised and disappointed by the penalty.
He said the company had responded quickly to the breach and had found no evidence of fraudulent activity on accounts linked to the breach.
BA was not the only airline to be hit by hackers in 2018.
A massive data breach saw hackers gain access to the personal details of up to 9.4 million customers of Hong Kong-based Cathay Pacific.
The airline revealed in October that data accessed varied for each passenger but could include name, nationality, date of birth, phone number, email; address, passport number; identity card number, frequent flyer number, customer service remarks and historical travel information.
It said later that year that cybersecurity experts engaged to search the dark web and other sites had found no evidence the stolen details of 9.4 million customers had appeared in those criminal forums.
Earlier this year, mobile security company Wandera said some airlines were using unencrypted e-ticketing links that could expose customers’ personal information to hackers.
Airlines identified by the researchers as sending unencrypted links included Australian low-cost carrier Jetstar, Southwest Airlines, Air France, KLM, Spanish budget carrier Vueling and British charter carrier Thomas Cook.