Following new European data protection laws that came in last year, the UK Information Commissioner's Office warned the FTSE 100 airline operator that it plans to impose a penalty of 1.5% of BA’s global turnover for 2017.
Last September, BA admitted that personal and financial details of customers who made bookings through ba.com or the airline's mobile app between August 21 and September 5 had been stolen in an online security breach.
Details from roughly 380,000 transactions were compromised, although the stolen data did not include passport details.
The ICO informed BA that it intends to issue the airline with a penalty notice for infringing the new General Data Protection Regulation (GDPR), hitting the Anglo-Iberian group with the biggest penalty it had ever handed out.
The fine equates to around 9p per IAG share, analysts at Liberum calculated, adding that with €3.8bn in the bank IAG has "more than adequate liquidity to cover the fine" but as a penalty it was still "substantial".
Around half a million users of the BA website were diverted to a fraudulent site, the ICO said, where their details were harvested by the attackers.
The ICO investigation found that data was compromised by “poor security arrangements at the company”, including log in, payment card, and travel booking details as well name and address information.
Information Commissioner Elizabeth Denham said: “People’s personal data is just that – personal. When an organisation fails to protect it from loss, damage or theft it is more than an inconvenience.
“That’s why the law is clear – when you are entrusted with personal data you must look after it. Those that don’t will face scrutiny from my office to check they have taken appropriate steps to protect fundamental privacy rights.”
BA eyes appeal
BA has cooperated with the investigation and made improvements to its security arrangements, the ICO said, as it awaited a response from the airline to the proposed findings and sanction.
Willie Walsh, chief executive of parent IAG, confirmed the company will make representations: “We intend to take all appropriate steps to defend the airline's position vigorously, including making any necessary appeals.”
BA boss Alex Cruz said the airline was “surprised and disappointed” by the ICO’s initial finding, arguing that the company had “responded quickly to a criminal act to steal customers' data”.
He said BA had “found no evidence of fraud/fraudulent activity on accounts linked to the theft” and apologised to customers for “any inconvenience this event caused”.
IAG shares fell 1% to 452.28p on Monday morning.
George Salmon, analyst at Hargreaves Lansdown, said £183mln “will make a pretty big dent in next year’s numbers, but IAG should be able to withstand its impact as it’s less than 10% of expected net profits and could yet be reduced on appeal”.
Neil Wilson at Markets.com said the proposed fine “shows how the ICO is taking a tougher stance on these kind of data breaches – other companies should take note”.
-- Adds comment and share price --