British Airways-owner IAG (ICAG.L) is facing a record $230 million (183.4 million pounds) fine for the theft of data from 500,000 customers from its website last year under tough new data-protection rules policed by the UK's Information Commissioner's Office (ICO).
The ICO proposed a penalty of £183.4 million, or 1.5% of British Airways' 2017 worldwide turnover, for the hack, which it said exposed poor security arrangements at the airline.
BA indicatedthat it planned to appeal against the fine, the product of European dataprotection rules, called GDPR, that came into force in 2018. They allowregulators to fine companies up to 4% of their global turnover fordata-protection failures.
The attackinvolved traffic to the British Airways website being diverted to a fraudulentsite, where customer details such as log in, payment card and travel bookingdetails as well as names and addresses were harvested, the ICO said.
InformationCommissioner Elizabeth Denham said: "People's personal data is just that –personal.
"When an organizationfails to protect it from loss, damage or theft it is more than aninconvenience. That's why the law is clear – when you are entrusted withpersonal data you must look after it."
BA'schairman and chief executive Alex Cruz said he was "surprised and disappointed"by the proposed penalty.
"BritishAirways responded quickly to a criminal act to steal customers' data," he said.
"We havefound no evidence of fraud/fraudulent activity on accounts linked to thetheft."
