logo-loader
viewInternational Consolidated Airlines Group

IAG faces record £183mln fine from ICO for website data breach

The Information Commissioner's Office plans to fine the FTSE 100 airline operator 1.5% of British Airways' global turnover

hacking
Details from roughly 500,000 transactions were compromised from BA last summer

International Consolidated Airlines Group (LON:IAG) will be hit with a whopping £183.4mln fine over the hacking of British Airways customers’ personal details data from its website last year.

Following new European data protection laws that came in last year, the UK Information Commissioner's Office warned the FTSE 100 airline operator that it plans to impose a penalty of 1.5% of BA’s global turnover for 2017.

READ: Shares in British Airways owner IAG fall as airline vows compensation for data breach

Last September, BA admitted that personal and financial details of customers who made bookings through ba.com or the airline's mobile app between August 21 and September 5 had been stolen in an online security breach.

Details from roughly 380,000 transactions were compromised, although the stolen data did not include passport details.

The ICO informed BA that it intends to issue the airline with a penalty notice for infringing the new General Data Protection Regulation (GDPR), hitting the Anglo-Iberian group with the biggest penalty it had ever handed out.

The fine equates to around 9p per IAG share, analysts at Liberum calculated, adding that with €3.8bn in the bank IAG has "more than adequate liquidity to cover the fine" but as a penalty it was still "substantial".

‘Poor security’

Around half a million users of the BA website were diverted to a fraudulent site, the ICO said, where their details were harvested by the attackers.

The ICO investigation found that data was compromised by “poor security arrangements at the company”, including log in, payment card, and travel booking details as well name and address information.

Information Commissioner Elizabeth Denham said: “People’s personal data is just that – personal. When an organisation fails to protect it from loss, damage or theft it is more than an inconvenience.

“That’s why the law is clear – when you are entrusted with personal data you must look after it. Those that don’t will face scrutiny from my office to check they have taken appropriate steps to protect fundamental privacy rights.”

BA eyes appeal

BA has cooperated with the investigation and made improvements to its security arrangements, the ICO said, as it awaited a response from the airline to the proposed findings and sanction.

Willie Walsh, chief executive of parent IAG, confirmed the company will make representations: “We intend to take all appropriate steps to defend the airline's position vigorously, including making any necessary appeals.”

BA boss Alex Cruz said the airline was “surprised and disappointed” by the ICO’s initial finding, arguing that the company had “responded quickly to a criminal act to steal customers' data”.

He said BA had “found no evidence of fraud/fraudulent activity on accounts linked to the theft” and apologised to customers for “any inconvenience this event caused”.

IAG shares fell 1% to 452.28p on Monday morning. 

George Salmon, analyst at Hargreaves Lansdown, said £183mln “will make a pretty big dent in next year’s numbers, but IAG should be able to withstand its impact as it’s less than 10% of expected net profits and could yet be reduced on appeal”.

Neil Wilson at Markets.com said the proposed fine “shows how the ICO is taking a tougher stance on these kind of data breaches – other companies should take note”.

-- Adds comment and share price --

Quick facts: International Consolidated Airlines Group

Price: 621 GBX

LSE:IAG
Market: LSE
Market Cap: £12.32 billion
Follow

Add related topics to MyProactive

Create your account: sign up and get ahead on news and events

NO INVESTMENT ADVICE

The Company is a publisher. You understand and agree that no content published on the Site constitutes a recommendation that any particular security, portfolio of securities, transaction, or investment strategy is...

FOR OUR FULL DISCLAIMER CLICK HERE

Watch

Full interview: Immotion plans fundraising following deal with Las Vegas resort

Immotion Group (LON:IMMO) has raised gross proceeds of £2.85mln from an 'oversubscribed' fundraising to accelerate its growth plans, and revealed it has inked a revenue-sharing deal with the MGM Mandalay Bay resort and casino in Las Vegas. CEO Martin Higginson tells Proactive London what the...

19 hours, 11 minutes ago

3 min read