The proposed fine relates to a cyber incident notified to the ICO by British Airways in September 2018. This incident in part involved user traffic to the British Airways website being diverted to a fraudulent site. Through this false site, customer details were harvested by the attackers. Personal data of approximately 500,000 customers were compromised in this incident, which is believed to have begun in June 2018.
The ICO’s investigation has found that a variety of information was compromised by inadequate security arrangements at the company, including login, payment card, and travel booking details as well as name and address information.
The UK Information Commissioner’s Office said the penalty notice is worth 1.5% of British Airway’s worldwide turnover and comes as a result of the UK Data Protection Act. The fine relates to the theft of customers’ personal and financial information between June 2018 and September 2018 from the website ba.com and the airline’s mobile app.
The airline initially said around 380,000 payment cards had been compromised; however, the ICO said in a statement that the personal information of 500,000 customers had been affected.
Romanian DPA fines UniCredit €130,000 for data protection by design failures.
The National Supervisory Authority for Personal Data Processing (‘ANSPDCP’) announced, on 4 July 2019, that it had fined UniCredit Bank S.A. €130,000 for breach of Article 25(1) of the General Data Protection Regulation (Regulation (EU) 2016/679) (‘GDPR’) relating to the principles of data protection by design and by default.
The ANSPDCP found that failure to implement appropriate technical and organisational measures designed to implement data protection principles effectively and integrate necessary safeguards in the processing of data led to the disclosure of data concerning 300,000 data subjects during the period of 25 May 2018 to 10 December 2018.