British Airways Faces Fine for Data Hack -- WSJ
July 09 2019 - 03:02AM
Dow Jones News
Potential penalty of $230 million would be biggest initiated
under new EU privacy rules
By Robert Wall and Parmy Olson
This article is being republished as part of our daily
reproduction of WSJ.com articles that also appeared in the U.S.
print edition of The Wall Street Journal (July 9, 2019).
A U.K. privacy watchdog has proposed a potentially record $230
million fine against British Airways, alleging the carrier failed
to protect passenger data after a hack last year.
The move, which British Airways parent International
Consolidated Airlines Group SA said it would fight, represents the
latest and by far biggest penalty initiated by national-privacy
regulators across the European Union since the enactment last year
of new privacy rules for the bloc.
France, in January, imposed a EUR50 million ($56 million) fine
-- the largest to date -- against Alphabet Inc.'s Google . In that
case, France said Google didn't go far enough in getting user
consent to gather data for targeted advertising. Google said Monday
it planned to appeal the decision in the coming weeks.
The EU's General Data Protection Regulation, or GDPR, aims to
hold companies accountable for safeguarding the personal data
increasingly swept up in today's digital world. It falls to
national regulators -- in Britain, the Information Commissioner's
Office -- to enforce the rules for companies within their
jurisdiction.
The proposed fine against the airline amounts to about 1.5% of
its 2017 revenue and more than 6% of IAG's forecast 2019 operating
profit. International businesses have been gearing up for GDPR
compliance for years, but the scale of the ICO proposal -- the
agency's first under the new regulation -- serves as a warning in
making clear the price of falling short.
The ICO's action against British Airways is the "tip of the
iceberg," said Tony Pepper, chief executive of email-encryption
service Egress Software Technologies Ltd. He said the British
regulator has health-care businesses, government agencies and
financial services in its crosshairs and will issue more big fines
over the next six to 12 months. The ICO doesn't oversee the privacy
practices of the big U.S. tech giants that have chosen Ireland as
their European base.
The proposed British Airways fine stems from an increasingly
common corporate hazard -- a breach of customer data. Airlines, in
particular, have faced frequent attempts to penetrate their
records. Last year, Cathay Pacific Airways Ltd., one of Asia's
largest long-haul carriers, and Air Canada both reported instances
of unauthorized access to some customer information.
In the U.S., there is no central authority for probing and
punishing failures at consumer data protection. In many cases,
companies subject to such hacks can be liable for customers'
financial losses stemming from unauthorized access to their data.
States have also taken firms to task for data breaches.
Target Corp. agreed two years ago to pay $18.5 million to
resolve state investigations of a massive 2013 hack that was an
early, high-profile corporate data breach.
Companies have also been held to account for failing to disclose
such hacks, and other, broader privacy issues. Uber Technologies
Inc. last year reached a $148 million nationwide settlement with
U.S. states over allegations it concealed a 2016 data breach.
Facebook Inc. in April set aside $3 billion for an expected fine
from the Federal Trade Commission over alleged privacy
violations.
Regulators in Europe have gained increasing authority to fine
companies for specifically failing to safeguard customer
information or privacy. Ireland has more than 50 privacy
investigations under way, including against tech companies such as
Facebook and Apple Inc. A spokeswoman for Britain's ICO said it
also has several more investigations proceeding.
Under GDPR, regulators can fine a company as much as 4% of
annual sales, though most fines so far have been far smaller,
typically less than $1 million.
Shares in IAG fell 1.4% on Monday in London.
British Airways last year said about half a million passenger
records were accessed in a cyberattack that took place between
August 21 and Sept. 5. The airline carried more than 45 million
passengers in 2018. The airline group said Sept. 6 that it had
discovered and resolved the breach of its website and app and that
police were notified.
The ICO said Monday that a variety of information was
compromised by poor security arrangements at the company, including
login, payment-card and travel booking details as well as name and
address information.
"We intend to take all appropriate steps to defend the airline's
position vigorously, including making any necessary appeals." IAG
Chief Executive Willie Walsh said Monday.
The ICO said the airline has cooperated with its investigation
and made improvements to its security. It also said it would take
into account feedback from British Airways and other
data-protection authorities as it makes a final determination on
the fine.
The airline has 28 days to make its case. The regulator said the
company can appeal against any final determination.
Write to Robert Wall at robert.wall@wsj.com
(END) Dow Jones Newswires
July 09, 2019 02:47 ET (06:47 GMT)
Copyright (c) 2019 Dow Jones & Company, Inc.
Alphabet (NASDAQ:GOOG)
Historical Stock Chart
From Feb 2024 to Mar 2024
Alphabet (NASDAQ:GOOG)
Historical Stock Chart
From Mar 2023 to Mar 2024