LONDON (AP) — British Airways is facing a 183 million-pound ($229 million) fine over a breach that compromised information on half a million customers — the biggest penalty to date under new, tougher regulations and one that is likely to be seen as a test case for companies that fail to secure big data caches.
Britain's Information Commissioner proposed the fine on Monday, months after BA revealed it had been the victim of a hack. The scam saw customers diverted to a fake website where credit card details were harvested by the attackers.
"People's personal data is just that - personal. When an organization fails to protect it from loss, damage or theft it is more than an inconvenience," Information Commissioner Elizabeth Denham said. "That's why the law is clear - when you are entrusted with personal data you must look after it."
The regulator said that the proposed fine — equivalent to 1.5% of the airline's annual revenue — is the biggest it has ever imposed. It comes about a year after European Union member states began implementing the most sweeping change in data protection rules in a generation.
The General Data Protection Regulation, or GDPR for short, is designed to make it easier for EU residents to give and withdraw permission for companies to use personal information — but also forces companies that hold data to be accountable for looking after it. Authorities can fine companies up to 4% of annual revenue or 20 million euros ($22.5 million), whichever is higher, for breaching the rules.
RELATED: Take a look at the most notable data breaches in U.S. history:
Notable data breaches in the US
Notable data breaches in the US
Credit reporting company Equifax Inc. corporate offices are pictured in Atlanta, Georgia, U.S., September 8, 2017. REUTERS/Tami Chappell
LONDON, ENGLAND - AUGUST 19: A detail of the Ashley Madison website on August 19, 2015 in London, England. Hackers who stole customer information from the cheating site AshleyMadison.com dumped 9.7 gigabytes of data to the dark web on Tuesday fulfilling a threat to release sensitive information including account details, log-ins and credit card details, if Avid Life Media, the owner of the website didn't take Ashley Madison.com offline permanently. (Photo by Carl Court/Getty Images)
Katherine Archuleta, director of the U.S. Office of Personnel Management (OPM), speaks during a House Oversight and Government Reform Committee hearing on the OPM data breach in Washington, D.C., U.S., on Wednesday, June 24, 2015. U.S. senators said yesterday they doubt the government's personnel office understands the breadth of a computer hack that exposed the records of more than 4 million federal workers, or that the agency can stop another breach. Photographer: Andrew Harrer/Bloomberg via Getty Images
WASHINGTON, DC - JUNE 05: The entrance to the Theodore Roosevelt Federal Building that houses the Office of Personnel Management headquarters is shown June 5, 2015 in Washington, DC. U.S. investigators have said that at least four million current and former federal employees might have had their personal information stolen by Chinese hackers. (Photo by Mark Wilson/Getty Images)
SCHAUMBURG, IL - AUGUST 04: A statue of a horse stands at the entrance to a P.F. Chang's restaurant on August 4, 2014 in Schaumburg, Illinois. P.F. Chang's China Bistro Ltd. said today that the company experienced a data breach involving customers' credit and debit card information which affected 33 restaurants in 16 states, including the Schaumburg, Illinois location. (Photo by Scott Olson/Getty Images)
PORTLAND, ME - AUGUST 15: Shaws on Congress Street on Friday, July 15, 2014. Shaws parent company is investigating a possible data breach. (Photo by Logan Werlinger/Portland Press Herald via Getty Images)
COLMA, CA - APRIL 18: Customers enter a Michaels art and crafts store on April 18, 2014 in Colma, California. Michaels, the largest arts and crafts chain in the U.S., announced that an estimated 2.6 million cards used at its stores across the country may have been affected by a security breach. Aaron Brothers, a subsidiary of Michaels, was also affected by the breach. (Photo by Justin Sullivan/Getty Images)
CORAL GABLES, FL - FEBRUARY 28: A checkout keypad is seen at a Sears store on February 28, 2014 in Coral Gables, Florida.
According to reports the U.S. Secret Service is investigating a possible digital attack at Sears Holdings Corp. (Photo by Joe Raedle/Getty Images)
A couple of shoppers leave a Target store on a rainy afternoon in Alhambra, California on December19, 2013, as the US retail giant said some 40 million customers may have had bank card data compromised by hackers who broke into its database as holiday shopping got underway. Target said there had been 'unauthorized access' to its payment system in US stores affecting credit and debit cards with approximately 40 million credit and debit cards possibly affected by the breach between November 27 and December 15, the company said in a statement. AFP PHOTO / Frederic J. Brown (Photo credit should read FREDERIC J. BROWN/AFP/Getty Images)
Discover More Like This
BACK TO SLIDE
The Information Commissioner's Office says its investigation of BA found that "poor security arrangements" compromised login, payment card, and travel booking details as well as name and address information.
The parent company of BA, International Airlines Group, said it would fight the proposed fine. It has 28 days to make its case in the first step of the process, which could take some time to complete.
"We intend to take all appropriate steps to defend the airline's position vigorously, including making any necessary appeals," said IAG CEO Willie Walsh.
The proposed fine is the largest for the ICO since telling Facebook to pay 500,000 pounds ($663,000) for allowing the political consultancy Cambridge Analytica to forage through the personal data of millions of unknowing Facebook users.
But the Facebook matter took place before the new GDPR rules came into effect and was the maximum penalty at the time of the incidents.
Monday's announcement is a watershed moment for Denham's office, in that it marks the first major foray into what happens under the new legislation when information authorities accuse well-meaning companies of falling short in data protection regimes.
The proposed BA fine could particularly worry companies that use lots of data, even though their business concerns something else, such as flying planes. These companies have to really open themselves to securing their data despite the cost or face scary fines, said Emily Taylor, CEO of Oxford Information Labs, a cyber security consultancy.
"(The information commissioner's office) are going for a very big signal to the entire marketplace," Taylor said. "This is the message: Get your information security house in order."