A record fine has been issued to British Airways following the loss of customer data in 2018
The breach in September last year saw hackers obtain names, email addresses and credit card information being used on the British Airways website and app. Of most concern, is that they also managed to obtain CVV numbers (the 3 digits from the back of the card) which BA insists was not stored on their databases. The result was that the personal data of 380,000 people was put at risk.
The fine has been issued by the Information Commissioners Office.
Information Commissioner Elizabeth Denham said:
“People’s personal data is just that – personal. When an organisation fails to protect it from loss, damage or theft it is more than an inconvenience. That’s why the law is clear – when you are entrusted with personal data you must look after it. Those that don’t will face scrutiny from my office to check they have taken appropriate steps to protect fundamental privacy rights.”
The fine itself, although the highest we have seen to date, is not as bad as it could have been. The fine represents 1.5% of BA's annual turnover, but the GDPR allows for fines up to 4%, meaning that they could have faced a fine verging on £500 million.
The ICO are making their message very clear - if a company does not take steps to protect the personal data they hold, there will be consequences.
Protecting personal data is now more important than ever, and with the power the GDPR affords the ICO, the fine imposed on British Airways will not be the last of its kind. The ICO are currently investigating more data incidents than every before, so no matter the size of your business, if you hold personal data, now is the time to ensure you are doing everything possible to protect it.
Discover a simple way for SME's to monitor data and prove compliance.