British Airways fetches £183 million Cyber Attack penalty after GDPR


British Airways (BA) which suffered a major cyber attack in September last year has received the latest jolt in the last weekend. The UK’s Information Commissioner’s Office (ICO) has made an official statement early today saying that it has imposed a penalty of £183 million which was possibly the biggest penalty ever issued against a firm after the new EU Data Protection Regulations (GDPR) kicked in from May’18.

A news post published in BBC today claims that the owner of BA ‘Alex Cruz’ was surprised and disappointed with the fine and might go for an appeal by this month end- as per the law of 28 days deadline for re-appealing.
According to the latest GDPR, any firm which becomes a victim of cyber attack should report the breach with 72 hours.

Following the same British Airways reported the breach to its customers within 42 hours stating that info related to over 380,000 booking transactions was stolen in a cyber attack and details such as credit card numbers, expiry dates and CVV codes were stolen.

Investigations later revealed that the data was stolen via a malicious script by hackers- all as a part of a skimming campaign which was also seen in the data steal of Magecart and Ticketmaster.

Note- Currently the ICO or the data watchdog can impose a fine of 4% of the turnover on a company at the best. Previously it only had the right to impose a fine of £500,000 at the maximum.

Seems like the penalty will constitute as a wake-up call to companies and websites which collect personal info of their customers, especially financial related such as credit card data.

Naveen Goud is a writer at Cybersecurity Insiders covering topics such as Mergers & Acquisitions, Startups, Cyber Attacks, Cloud Security and Mobile Security

No posts to display