British Airways is facing a fine of £183 million for a breach of its security systems in September last year that saw the personal data of half a million customers stolen.
A statement by the Information Commissioner’s Office (ICO) said the incident "involved user traffic to the British Airways website being diverted to a fraudulent site. Through this false site, customer details were harvested by the attackers."
A fine of £500,000 was imposed on Facebook last year for the Cambridge Analytica scandal but that occurred before new GDPR regulations came into effect in May 2018.
"The penalty is severe, but equally it was the right thing to do as this was a significant data breach," said Stephen Morton Prior, CEO of Clearwater Events.
"There are many companies where data breaches have taken place and the companies, have dusted themselves off, learned from their mistakes and added protocol to ensure it doesn’t happen again.
"We all do everything we can to avoid hacks, but hackers are incredibly sophisticated. Only the other day, we received a new enquiry for an event which turned out to be a scam."
Mike Martin, co-founder and managing director of Paragon, also said he thought the fine was "probably justified" but that BA would learn from its mistake.
"This was a highly specialised, targeted attack, and – as far as I’ve read - British Airways followed all the correct procedures once the breach had been identified," said Martin.
"If anything I would assume that this has been a big wake up call for British Airways, the aerospace industry and global corporations in general, which can only make cybersecurity stronger moving forward."
A statement from British Airways chair and chief executive Alex Cruz said the company was "surprised and disappointed" in the findings.
"British Airways responded quickly to a criminal act to steal customers’ data. We have found no evidence of fraud/fraudulent activity on accounts linked to the theft. We apologise to our customers for any inconvenience this event caused."
The ICO also said British Airways had cooperated with its investigation, made improvements to its security arrangements and would have the "opportunity to make representations to the ICO as to the proposed findings and sanction."
IT and data protection specialist lawyer Susan Hall, partner at Clarke Willmott LLP, said: "Businesses will be reeling at the ICO's notice of intention to hand BA a record fine of £183m for being in breach of GDPR," said Susan. "It shows everyone can fail.
"If a business the size of BA can be found wanting, smaller companies should be asking themselves whether their data security arrangements are up to scratch.
For more features and breaking news sign up to C&IT Magazine's daily Newstracker.
Have you registered with us yet?
Register now to enjoy more articles
and free email bulletins.