British Airways, which in 2018 compromised the personal data of nearly 500,000 customers due to a security breach, has faced a €183.39 million fine. The Uk Information Commission Office (ICO) has said that the massive sentencing decision against British Airways has not yet been finalised. Because it is possible for the company to appeal to reduce the sentence within 28 days.
The ICO reported that the security breach was thought to have begun before the reported date, in June 2018. In a statement, this situation is due to poor security measures, he said.
A fraudulent website set up by an unknown third party manages to attract British Airways traffic, while access information, paid card details, names, addresses, and personal data such as travel booking collected.
The GDPR regulation requires companies to report discovered data breaches to European authorities within 72 hours, which are deemed appropriate. With this condition, Europe’s local data protection agencies can impose penalties of up to 4 per cent of companies’ annual revenues.
Given that BA generated $15 billion in revenue last year, the proposed ICO penalty amounts to 1.5 percent of the company’s 2017 revenue. Therefore, it is possible to say that the penalty is well below the maximum level that can be deducted.
Meanwhile, the fine imposed on BA is the highest amount ever set under GDPR. The fines so far ranged from tens of thousands of euros to hundreds of thousands of euros. For the first time, we are faced with a penalty of 100 million.
For example, Google was fined €50m for advertising personalization from the French data privacy agency CNIL in January, while Facebook paid a fine of 500,000 euros during the Cambridge Analytica Scandal.