Britain's Information Commissioner’s Office has proposed fining British Airways £183.4 million ($329 million) for infringing the EU’s General Data Protection Regulation after hackers harvested the information of around 500,000 customers.
Login credentials, payment card numbers, travel books, and names and addresses were compromised in last year's attack which diverted traffic from a BA website to a fraudulent page.
British Information Commissioner Elizabeth Denahm said the public had a fundamental right to privacy.
“People’s personal data is just that – personal,” she said.
“When an organisation fails to protect it from loss, damage or theft it is more than an inconvenience.
“That’s why the law is clear – when you are entrusted with personal data you must look after it.”
In September, British Airways notified the ICO of the attack which is estimated to have begun in June last year.
The ICO said that British Airways has since cooperated with investigations and has improved information security.
Chairman and CEO of British Airways, Alex Cruz, he was “surprised and disappointed” with the ICO’s penalty.
“British Airways responded quickly to a criminal act to steal customers’ data,” Cruz said in a statement.
“We have found no evidence of fraud/fraudulent activity on accounts linked to the theft.”
EU regulations bring heavy penalties
The GDPR is the world’s toughest set of privacy protection laws.
All organisations that store data on EU citizens are required to adhere to the GDPR, which came into effect last year.
At the time, the majority of Australian businesses were unaware of how they would be affected by the new regulations.
Penalties for breaching the GDPR can be severe – maxing out at either €20 million ($32 million) or 4 per cent of global revenue.
A recent study into the cost of cybercrime found GDPR penalties to be one of the biggest cybercrime expenses for businesses.
Earlier this year, France’s privacy protection agency slapped Google with an $80 million fine.
In Australia, the Office of the Australian Information Commissioner (OAIC) can apply to hand out maximum fines of up to $420,000 for contraventions of the Privacy Act.
The Commonwealth Bank has recently been required to change its practices after the OAIC found its information security protocols were severely lacking.
All organisations are required to inform the OAIC of privacy incidents under the Notifiable Data Breaches scheme.
Failure to comply with Australia's rules can attract fines up to $2.1 million.
The British regulator's final decision on the size of the fine will be made after the agency considers representations by BA and other concerned data protection authorities.