The UK Data Protection Authority (ICO) announced on Monday 8 July its intention to impose a fine of £183.39 million on British Airways for breach of the General Data Protection Regulation (GDPR).
The case in question: a data theft that allegedly began in June 2018 and was notified to the ICO in September 2018. Users of the British Airways website were referred to a fraudulent site that collected details from approximately 500,000 customers, including information on connections, payment cards and travel reservations, as well as their names and addresses.
According to the ICO investigation, it was poor security arrangements within the company that allowed such a cyber incident to occur.
"Rigorous enforcement of GDPR in action. New decision of ICO shows our authorities adjust fines to the scale of the breach", reacted the European Commissioner for Justice, Věra Jourová, on her Twitter account.
183 million GBP would indeed be the highest fine ever imposed by the ICO for data protection violations, commented British MEP Claude Moraes (S&D) on Twitter, saying it was a "warning shot to multinationals to treat our data with care".
The airline will now be able to submit its observations on the proposed sanction before the ICO makes its final decision. (Original version in French by Marion Fontana)