British Airways Faces Record $230 Million Fine for Data Breach

LONDON — The British authorities said on Monday that they intended to order British Airways to pay a fine of nearly $230 million for a data breach last year, the largest penalty against a company for privacy lapses under a new European data protection law.

Poor security at the airline allowed hackers to divert about 500,000 customers visiting the British Airways website last summer to a fraudulent site, where names, addresses, login information, payment card details, travel bookings and other data was taken, according to the Information Commissioner’s Office, the British agency in charge of reviewing data breaches.

In a statement British Airways said that it was “surprised and disappointed” by the agency’s finding and that it would dispute the judgment.

The penalty signals a new era for companies that experience large-scale data breaches. Frustrated that businesses were not doing enough to protect people’s online information, European policymakers last year adopted a new law, the General Data Protection Regulation, known as G.D.P.R., that allows regulators in each European Union country to issue fines of up to 4 percent of a company’s global revenue for a breach. And by acting against an iconic British brand, officials showed that enforcement would not be limited to American-based tech companies, who have been seen as a primary target.

Previously, fines by the Information Commissioner’s Office were capped at 500,000 pounds, or about $625,000. That was the fine it imposed on Facebook last year for allowing Cambridge Analytica to harvest information on millions of users without their consent.

Facebook and Google are among other companies currently under investigation by the European authorities over breaches of the landmark law.

“People’s personal data is just that — personal,” Elizabeth Denham, the information commissioner, said in a statement. “When an organization fails to protect it from loss, damage or theft it is more than an inconvenience. That’s why the law is clear — when you are entrusted with personal data you must look after it.”

But Alex Cruz, the chairman and chief executive of British Airways, said the company had “responded quickly to a criminal act to steal customers’ data.” The hack occurred in 2018, from June until September.

“We have found no evidence of fraud/fraudulent activity on accounts linked to the theft,” he said.

Europe’s experience is being closely watched by governments around the world, including in the United States, where policymakers have pursued new privacy legislations that require companies to be more transparent about how data is collected and used. And while federal privacy regulation in the United States has gained momentum, it’s considered unlikely to be enacted anytime soon.

Since the European data-privacy law was enacted last May few penalties have been announced. In January, French regulators fined Google 50 million euros, or about $56 million, for not properly disclosing how data was collected across its services.

The threat of hefty fines is intended to encourage companies to invest in cybersecurity and be more judicious about the information they collect and store on users. Companies have for years gathered details about people as a way to create better profiles about them to sell more products and services.

“It gives a sense of what the risk may be for companies involved in far greater breaches,” said Johnny Ryan, the chief policy officer at Brave, a privacy-focused web browser. “Regulators may, finally, be starting to get active.”

As hacks have become more common, customers are often left feeling helpless when information is exposed in breaches of large companies like the credit-scoring company Equifax, hotel chain Marriott, and internet company Yahoo. Without G.D.P.R., policymakers said there was little recourse beyond bad publicity.

“This is a considerable step change from the previous fining regime, and is indicative of how the I.C.O. seeks to incentivize security practices to stop data breaches like this,” said Michael Veale, a digital rights researcher who will be joining the faculty at University College London, who specializes in the new data law. He said he suspected regulators determined the fine “on the basis that this was a wholly avoidable data breach which resulted from sloppy technical and organizational practices.”

Companies have argued that even the best cybersecurity practices can be thwarted by patient and talented hackers. Breaches often result from a mistake made by an employee, such as clicking on an infected attachment, that then spreads within the broader corporate network.

The British decision to fine British Airways £183.5 million, worth about 1.5 percent of the airline’s annual revenue, is not final. The agency said it would “carefully consider” responses from the airline and others to its penalty before issuing a final decision.