The above diagram speaks for itself. British Airways is facing a record fine of £183m for last year's breach of its security systems. The ICO said this is the biggest penalty it had handed out and the first to be made public under new rules i.e., the GDPR. It could have been worse: under the GDPR rules, the maximum fine is 4% of the previous year's turnover which would have meant a fine approaching £500m.
The ICO said the incident took place after users of British Airways' website were diverted to a fraudulent site. Through this false site, details of about 500,000 customers were harvested by the attackers.
In explaining its decision, the office of the ICO said "People's personal data is just that - personal. When an organisation fails to protect it from loss, damage or theft, it is more than an inconvenience. The law is clear - when you are entrusted with personal data, you must look after it. Those that don't will face scrutiny from the ICO's office to check they have taken appropriate steps to protect fundamental privacy rights.
The office of the ICO also said a variety of information was "compromised" by poor security arrangements at the company, including log in, payment card, and travel booking details as well name and address information.
BA initially said information involved included names, email addresses, credit card information such as credit card numbers, expiry dates and the three-digit CVV code found on the back of credit cards.
Until now, the biggest penalty was £500,000, imposed on Facebook for its role in the Cambridge Analytica data scandal. That was the maximum allowed under the old data protection rules that applied before GDPR.
This might not be the end of the matter for BA. Regulations and actions in the UK normally mirrored or followed what is happening in the US. In the US Facebook is facing a fine of approximately USD100 million from the Securities & Exchange Commission (SEC) for allegedly misleading their investors on the use of Facebooks' data with 3rd parties. Is the securities regulators in the UK launched an investigation into alleged misrepresentation by BA when it first made known of the breach to the public moreso when the announcement was made several months after the breach was discovered?
The message is clear - if you don't treat your customers' data with the utmost care expect severe punishment when things go wrong.