Record sanction of the English Guarantor for British Airlines data breach
The British Data Protection Authority (ICO) fined British Airlines GBP 183 million, for a hacker attack that last September caused the exfiltration of data, including 380,000 credit card numbers.
The violation was caused by malware installed on BA.com (the company’s website), which had diverted user traffic to a fraudulent site, where customer details were subsequently collected by malicious hackers.
The stolen information is that relating to the name, address, e-mail address of the customers and in particular the credit card details, ie the number, expiration date and the three-digit security code (Cvv).
Particularly serious was not only the vulnerability of the systems affected, caused by the company’s poor safety measures, but also the irregular and unauthorized storage of the Cvv. In fact, according to the security regulations on the management of credit cards established by the PCI-Dss (Payment Card Industry Data Security Standard), no operator dealing with credit cards is allowed to store the Cvv.
The fine is the highest ever imposed by the ICO on a company’s data breach, thus exceeding the maxi-sanction given to Facebook for the Cambridge Analytica case.
The GDPR establishes fines of up to 4 percent of the turnover of the company involved, in violation of the privacy regulations of their customers. The ICO’s fine was calculated on the basis of 1.5 percent of British Airways’ entire revenue in 2017, therefore without applying the maximum rate set by the GDPR. The airline will now have 28 days to appeal.