The £183m British Airways fine is a game-changer for consumers

They’re fining us when we’re the victims? Poor us!

That’s what British Airways’ reaction to being told by the Information Commissioner’s Office (ICO) of an intent to fine the airline £183m over a data breach last year feels like.

Here’s Alex Cruz, chair and chief executive: “We are surprised and disappointed in this initial finding from the ICO. British Airways responded quickly to a criminal act to steal customers’ data. We have found no evidence of fraud/fraudulent activity on accounts linked to the theft.”

There was then the standard “we apologise to our customers for any inconvenience this event caused” at the end of his quote, which will probably come as slim comfort to those whose details found their way into the hands of criminals during the breach.

Around 500,000 of them were diverted to a fraudulent website while they were trying to use BA’s. It harvested their details. The breach went on for several weeks, and while it did not include the passport details and travel information of those caught up in it, it did include their credit card details.

Improvements were, BA said, subsequently made.

Now it could just be me, but the victims here are the people who had their details stolen, not BA. Yes, crooks were responsible for the thefts, and yes they should be pursued and punished. But their activities don’t and shouldn’t absolve the airline of responsibility. Quite the reverse.

Organisations which hold our data have a responsibility to do what whatever it takes to keep it secure. The regularity with which breaches have been reported suggests too many of them haven’t been doing enough.

Unfortunately for the watchdogs charged with getting them to pull their virtual socks up, the previous maximum fine that could be levied was just £500,000. The framework they were operating under was woefully inadequate. For a company like BA, that’s a drop in the ocean.

It is the EU’s General Data Protection Regulation (GDPR) that has changed the rules of the game.

Under it, the ICO can levy fines of up to 4 per cent of companies’ turnover.

Of course, it’s one thing to have that sort of power, and quite another to use it. It is to the ICO’s considerable credit that it has made clear that it will do so.

BA’s proposed fine actually amounts to 1.5 per cent of its turnover. So you could make the case that it has been given plenty of credit for co-operating with the authorities and making the improvements its bosses have been banging on about.

You could even make the case that it is getting off relatively lightly.

If the penalty is confirmed – and I imagine that the ICO will have prepared itself for trouble from the first company to fall afoul of new rules – the fine should prompt some serious thought among corporate Britain’s IT chiefs. Scratch that. It should create some serious thought among its CEOs and finance directors.

Fines like that are big enough to hurt. They should incentivise greater investment in data security. If that’s the result of this, it will be a most welcome development for consumers at the sharp end.