On July 8, 2019, the announcement was made: British Airways was ordered to pay a £183 million fine to the ICO (the Information Commissioner's Office, the UK equivalent of the CNIL). In 2018, the theft of financial data from hundreds of thousands of customers constituted a clear violation of the GDPR.
Disappointed with the ICO's decision, Alex Cruz, CEO of British Airways, said: "British Airways responded quickly to the criminal act of stealing its customers' data. No evidence of fraudulent activity on the accounts affected by this theft has been found."
ICO Commissioner Elizabeth Denham issued a statement. "When you are entrusted with personal data, you must protect it. Those who fail to do so will be prosecuted."
The stolen information included the names, postal addresses, email addresses, and bank details of the company's customers.
However, since the attack, the airline has improved its security procedures. The initial amount of the fine imposed by the ICO represents 1.5% of British Airways' annual turnover for 2017. The ICO could therefore reduce the amount of the fine imposed on the airline.
Throughout most of 2018, from June to October, British Airways communicated about the cyberattack, which was linked to an IT breach. The airline also promised compensation for affected travelers.
According to RiskIQ (an American IT security company), the criminal team behind the cyberattack is believed to be the "Magecart" group, which was involved in the Ticketmaster case.
