British Airways Faces $230 Million Fine Over Data Breach as European Privacy Rules Start to Bite

Source: WSJ | Published on July 8, 2019

Cyberattacks pose risk to creditworthiness

A U.K. privacy watchdog has proposed a $230 million fine for the owner of British Airways—potentially a record privacy-related penalty in Europe—alleging it failed to protect passenger data after a hack last year.

The move, which British Airways owner International Consolidated Airlines Group SA said it would fight, represents the latest, and by far biggest, proposed penalty issued by national-privacy regulators across the European Union. The fines follow the EU’s enactment last year of sweeping new privacy rules across the bloc aimed at holding companies accountable for protecting the personal data increasingly swept up in today’s digital world.

It falls to national regulators to enforce the rules with companies over which they have jurisdiction. The proposed fine in Britain overshadows the next largest: France, in January, imposed a €50 million ($56 million) fine against Alphabet Inc.’s Google. In that case, France said Google didn’t go far enough in getting valid consent to gather data for targeted advertising. Google said it planned to appeal the decision in the coming weeks.

The proposed fine against British Airways—accounting for about 1.5% of IAG’s 2017 revenue and more than 6% of its forecast 2019 operating profit —threatens to become a shot across the bow of Europe Inc., as well as a warning to foreign firms that do business here. While many international businesses have been gearing up for General Data Protection Regulation, or GDPR, compliance for years, Britain’s proposed fine makes clear the large financial stakes of falling short.

The ICO’s proposed fine is the “tip of the iceberg,” said Tony Pepper, chief executive of email-encryption service Egress Software Technologies Ltd. He believes the British regulator has health care businesses, government agencies and financial services in its crosshairs and will issue more big fines over the next six-to-12 months. The ICO doesn’t oversee the privacy practices of the big U.S. tech giants that have chosen Ireland as their European base.

The proposed fine stems from an increasingly common corporate hazard—a breach of customer data. Airlines, in particular, have faced frequent attempts to penetrate their customer records. Last year, Cathay Pacific Airways Ltd., one of Asia’s largest long-haul carriers, and Air Canada both reported their own instances of unauthorized access to some customer information.

In the U.S., there is no central authority tasked with probing and punishing instances where data protection measures fall short. In many cases, companies that fall victim to such hacks can be liable for customers’ financial losses stemming from the unauthorized breach of their data. States have also taken firms to task for data breaches.

Target Corp. agreed two years ago to pay $18.5 million to resolve an investigation by state prosecutors into a massive 2013 hack—one of the early, high-profile corporate data breaches. Companies have also been held to account over failing to disclose such hacks, and other, broader privacy issues. Uber Technologies Inc. last year reached a $148 million nationwide settlement with U.S. states over allegations it concealed a 2016 data breach. Facebook in April set aside $3 billion for an expected fine from the Federal Trade Commission over alleged privacy violations.

Companies have been held to account over failing to disclose such hacks, and other, broader privacy issues. Uber Technologies Inc. last year reached a $148 million nationwide settlement with U.S. states over allegations it concealed a 2016 data breach. Facebook in April set aside $3 billion for an expected fine from the Federal Trade Commission over alleged privacy violations.

Regulators in Europe have gained increasing authority to fine companies for failing to specifically safeguard customer information or privacy. Ireland has more than 50 privacy investigations under way, including against tech companies such as Facebook and Apple Inc. A spokeswoman for Britain’s ICO said it had several more investigations under way, as well.

The proposed fine is the first for Britain’s ICO. Under GDPR, regulators, in extreme cases, can fine a company as much as 4% of annual sales. Most fines so far have been far smaller, typically less than $1 million. Shares in IAG opened 1.5% lower in London.

British Airways last year said about half a million passenger records were accessed in a cyberattack that took place between August 21 and Sept. 5. The airline carried more than 45 million passengers in 2018. The airline group said Sept. 6 it had discovered and resolved the breach of its website and app and that police were notified.

The British regulator, in a statement, said “a variety of information was compromised by poor security arrangements at the company, including log in, payment card, and travel booking details as well as name and address information.”

IAG Chief Executive Willie Walsh said that “we intend to take all appropriate steps to defend the airline’s position vigorously, including making any necessary appeals.” The airline has cooperated with the investigation, the regulator said, and made improvements to its security.

The ICO said it would take into account feedback from British Airways and other data protection authorities as it makes a final determination on the fine. The airline has 28 days to make its case. The regulator said the company can appeal against any final determination.