Walsh says BA will 'vigorously' defend itself over £183m fine
Aer Lingus owner IAG's shares fell as much as 1.5pc after it said the UK Information Commissioner's Office (ICO) could impose a penalty of £183.4m (€205m) for the theft of customer data from British Airways' website last year.
The fine is set to be the biggest ever for a data privacy failure by a company, reflecting the massive stakes businesses now face if they are found to have failed to keep information safe.
Please log in or register with Independent.ie for free access to this article.
The fall in shares yesterday wiped more than £115m off IAG's stock market valuation.
Chief executive Willie Walsh indicated that British Airways is likely to appeal against the proposed fine.
"We intend to take all appropriate steps to defend the airline's position vigorously, including making any necessary appeals," he said.
IAG is facing the record fine after the theft of data from 500,000 customers from its website last year.
It is one of the first major cases to since the UK's adoption of the European General Data Protection Regulation (GDPR) came into force. In the UK those tough new data protection rules are policed by the ICO - their equivialent of the Data Protection Commission (DPC) here.
The ICO's proposed penalty is 1.5pc of British Airways' 2017 worldwide turnover.
It said the hack had exposed poor security arrangements at the airline.
The fine could have been as much as 4pc of revenue - in British Airways' case, that would be around £500m. The attack involved traffic to the British Airways website being diverted to a fraudulent site, where customer details including account log-in, payment card and travel booking details, as well as names and addresses, were harvested, the ICO said.
Information Commissioner Elizabeth Denham said: "People's personal data is just that - personal.
"When an organisation fails to protect it from loss, damage or theft, it is more than an inconvenience."
BA's chairman and chief executive Alex Cruz said he was "surprised and disappointed" by the proposed penalty.
"British Airways responded quickly to a criminal act to steal customers' data," he said.
"We have found no evidence of fraud/fraudulent activity on accounts linked to the theft."
The ICO said British Airways had cooperated with its investigation and made improvements to its security arrangements.
The company can appeal, and can make representations to the ICO on proposed findings and sanctions.
The ICO investigated as the relevant EU authority, on behalf of the UK and other European regulators and it will share the proceeds of its penalties.
It fined Facebook a then maximum £500,000 last year for breaches of data protection law and said that fine would "inevitably have been significantly higher under GDPR".