author photo
By Bruce Sussman
Mon | Jul 8, 2019 | 9:54 AM PDT

British Airways is facing a $228 million fine for a data breach that apparently violated the requirements of Europe's GDPR. 

Hundreds of thousands of British Airways customers had their personal information harvested by hackers in 2018 when traffic was diverted to a fake British Airways site.

Britain's Information Commissioner's Office (ICO) is levying the fine. Commissioner Elizabeth Denham explains why:

"People’s personal data is just that—personal. When an organisation fails to protect it from loss, damage or theft it is more than an inconvenience. That’s why the law is clear—when you are entrusted with personal data you must look after it. Those that don’t will face scrutiny from my office to check they have taken appropriate steps to protect fundamental privacy rights."

The ICO says British Airways has improved its cybersecurity since the data breach and will now have a chance to respond to the proposed fine before the final amount is set.

And British Airways is responding in the media already. It told ThreatPost:

"We are surprised and disappointed in this initial finding from the ICO," says Alex Cruz, British Airways chairman and chief executive. "British Airways responded quickly to a criminal act to steal customers' data. We have found no evidence of fraud/fraudulent activity on accounts linked to the theft. We apologise to our customers for any inconvenience this event caused."

If the fine amount stands, it will be the largest, so far, under GDPR.

[RELATED: Privacy and Security Law Trends in the United States]

[RESOURCE: Our 2019 regional cybersecurity conference calendar

Tags: GDPR, Data Breach,