British Airways is facing a possible fine of around £500 million over a data breach that compromised 380,000 card payments after regulators said they were “making enquiries”.
BA, which is owned by International Airlines Group (AIG), has said criminal activity put the personal and financial details of thousands of customers at risk over a 15-day period.
The breach took place from 11pm on August 21 until 9.45pm on Wednesday.
Multiple regulators have been contacted about the data attack, including the National Crime Agency, the National Cyber Security Centre and the Information Commissioner’s Office (ICO).
In a statement, an ICO spokesperson said: "British Airways has made us aware of an incident and we are making inquiries."
‘A sophisticated, malicious criminal attack’
The data breach took place after the introduction of the new Data Protection Act, which included the provisions of the new European General Data Protection Regulation (GDPR).
Under the new regulations, the maximum penalty for a company hit with a data breach is a fine of either £17 million or four percent of global turnover, whichever is greater.
In the year ending December 2017, BA’s total revenue was £12.2 billion, meaning the company could face a fine of around £500 million if the ICO takes action.
BA said it was cooperating with all the relevant regulators following the breach.
Speaking on the BBC, Alex Cruz, BA's chairman and chief executive, said: "There was a very sophisticated, malicious criminal attack on our website.
"We became aware initially on that day, and we began to work on it. We discovered that something had happened, and immediately we began to work."
Shares in IAG were down more than 3% in morning trade.