The UK's Information Commissioner's Office (ICO) on Monday revealed its plan to slap British Airways with a £183.4 million ($230M) fine over a 2018 data breach, one of the ICO's biggest fines since General Data Protection Regulation (GDPR) came into effect. The breach is believed to have impacted 500,000 people, the regulator noted.
The breach, which BA disclosed in September, saw people visiting its website being diverted to a fraudulent site, where details including name, billing address, email address, and payment information were harvested.
The initial disclosure said the breach happened between August and September, impacting 380,000 card payments. It later said that 185,000 people who made bookings between April and July may have been similarly compromised.
Information Commissioner Elizabeth Denham said in a statement that "the law is clear" when it comes to people's personal data.
"When you are entrusted with personal data you must look after it," she wrote. "Those that don't will face scrutiny from my office to check they have taken appropriate steps to protect fundamental privacy rights."
The $230 million fine is 1.5% of BA's global turnover for the year, its parent company International Airlines Group (IAG) noted in a statement. Under GDPR, companies can be fined the equivalent of $22.4 million or 4% of their total annual worldwide revenue in the preceding financial year, whichever is higher.
"We arRead More – Source