British Airways (BA) is facing a possible £500 million fine as it grapples with the fallout of a massive data breach which the airline’s chief executive has described as a “malicious criminal attack”.
Thousands of BA customers have had to cancel their credit cards after the 15-day data hack compromised 380,000 payments.
Cyber criminals behind the attack obtained enough credit card details to use them, and the firm now faces being fined as regulators begin investigating the incident.
BA’s data breach took place after the introduction of the new Data Protection Act, which includes the provisions of the new European General Data Protection Regulation.
Under the new regulations, the maximum penalty for a company hit with a data breach is a fine of either £17m or 4% of global turnover, depending on which is greater.
In the year ended December 31, 2017, BA’s total revenue was £12.2 billion, meaning the company could face a fine of around £500m if the Information Commissioner’s Office (ICO) takes action.
Multiple regulators have been contacted about the data hack, including the National Crime Agency, the National Cyber Security Centre and the ICO.
In a statement, an ICO spokesperson said: “British Airways has made us aware of an incident and we are making inquiries.”
BA chief executive, Alex Cruz
Speaking to the BBC, Alex Cruz, BA’s chairman and chief executive, said: “There was a very sophisticated, malicious criminal attack on our website. We became aware initially on that day, and we began to work on it. We discovered that something had happened, and immediately we began to work.”
Shares in IAG, BA’s parent firm, were down more than 3% in morning trade as investors digested the news.
Cruz went on to apologise for the failure, adding that BA is “100% committed” to compensating customers who were financially affected. He said: “We’re extremely sorry. I know that it is causing concern to some of our customers, particularly those customers that made transactions over BA.com and app.”
He added: “We know that the information that has been stolen is name, address, email address, credit card information; that would be credit card number, expiration date and the three-letter code in the back of the credit card.
“No itinerary information, no frequent flier data, no passport data has been compromised.”
BA said it was investigating the breach, which took place from 11pm on August 21 until 9.45pm on Wednesday, and is co-operating with relevant regulators.
The incident comes after an IT meltdown caused huge disruption for BA passengers at the start of the May half-term holiday.
Some 75,000 passengers were left stranded after a glitch forced the airline to cancel nearly 726 flights over three days.
Following the latest breach, worried customers rushed to social media and helplines after the airline urged anyone who suspected they may have been affected to contact their bank or credit card provider.
There were reports of banks being inundated with calls, leaving account holders in lengthy queues, while some BA customers said they had to have cards cancelled and reissued as a result.
Banks including NatWest and RBS attempted to reassure worried BA customers that they have “significant” levels of security in place but advised account holders to lookout for suspicious activity.
Which? said it was “vital” BA moved quickly to ensure affected customers get clear information and what steps they need to take to protect thems
Why are you making commenting on The National only available to subscribers?
We know there are thousands of National readers who want to debate, argue and go back and forth in the comments section of our stories. We’ve got the most informed readers in Scotland, asking each other the big questions about the future of our country.
Unfortunately, though, these important debates are being spoiled by a vocal minority of trolls who aren’t really interested in the issues, try to derail the conversations, register under fake names, and post vile abuse.
So that’s why we’ve decided to make the ability to comment only available to our paying subscribers. That way, all the trolls who post abuse on our website will have to pay if they want to join the debate – and risk a permanent ban from the account that they subscribe with.
The conversation will go back to what it should be about – people who care passionately about the issues, but disagree constructively on what we should do about them. Let’s get that debate started!
Callum Baird, Editor of The National
Comments: Our rules
We want our comments to be a lively and valuable part of our community - a place where readers can debate and engage with the most important local issues. The ability to comment on our stories is a privilege, not a right, however, and that privilege may be withdrawn if it is abused or misused.
Please report any comments that break our rules.
Read the rules hereLast Updated:
Report this comment Cancel