British Airways is facing the prospect of a £183.4m fine following a cyberattack against its systems last year.
The proposed record penalty from the Information Commissioner's Office comes following a data breach which is thought to have affected hundreds of thousands of customers who used the British Airways website between April and June 2018. The breach was disclosed in September.
This incident in part involved user traffic to the British Airways website being diverted to a fraudulent site, and personal details of around 500,000 customers were harvested by the attackers during this incident, which is believed to have begun in June 2018.
The ICO has announced its intention to issue the fine under General Data Protection Regulation, the European Union data protection laws that were introduced in May last year – and the planned figure is by far the largest penalty notice issued under GDPR.
Following what's described as an "extensive investigation", the ICO has concluded that information was compromised by "poor security arrangements" at British Airways. This relates to security around log in, payment card, and travel booking details, as well name and address information.
"People's personal data is just that – personal. When an organisation fails to protect it from loss, damage or theft it is more than an inconvenience," said information commissioner Elizabeth Denham.
"That's why the law is clear – when you are entrusted with personal data you must look after it. Those that don't will face scrutiny from my office to check they have taken appropriate steps to protect fundamental privacy rights."
British Airways chairman and chief executive Alex Cruz said the company is "surprised and disappointed" at the ICO's findings, claiming the company found "no evidence of fraudulent activity on accounts linked to the theft".
British Airways has 28 days to appeal against the decision – and parent company International Airlines Group intends to do so.
"British Airways will be making representations to the ICO in relation to the proposed fine. We intend to take all appropriate steps to defend the airline's position vigorously, including making any necessary appeals," said IAG chief executive Willie Walsh.
An ICO statement says it will "consider carefully the representations made by the company and the other concerned data protection authorities before it takes its final decision". The final figure for the fine could be lower.
The previous highest penalty issued by the ICO under was a £500,000. This was the maximum which could be levied under the old rules and was most recently to Facebook for its role in the Cambridge Analytica scandal.
MORE ON CYBERSECURITY
- GDPR: How Europe's digital privacy rules have changed everything
- LaLiga facing €250k fine for GDPR violations in app used to spy on users TechRepublic
- Where GDPR goes next: How digital privacy is taking over the world
- Europe's GDPR has accomplished a lot in its infancy CNET
- Cyber security: Don't leave it to your tech team or you'll get breached, warns data protection chief