The airline said it was "surprised and disappointed" after it was issued a potential fine of £183 million by the Information Commissioner's Office (ICO) on 8 July.
This is the biggest penalty to be handed out and the first to be made public under the new General Data Protection Regulation (GDPR) rules, which came into force last May.
BA said hackers had carried out a "sophisticated, malicious, criminal attack" on its website. The incident took place after customers were diverted to a fraudulent site. Through this false site attackers harvested the details of about 500,000 people.
The incident was first disclosed on 6 September 2018 and BA initially said that approximately 380,000 transactions were affected, but the stolen data did not include travel or passport details.
Information commissioner Elizabeth Denham said: "People's personal data is just that – personal. When an organisation fails to protect it from loss, damage or theft it is more than an inconvenience.
"That's why the law is clear; when you are entrusted with personal data you must look after it. Those that don't will face scrutiny from my office to check they have taken appropriate steps to protect fundamental privacy rights."
Speaking to HR magazine, interim HR director Melanie Steel said that protecting data is the joint responsibility of HR, CIOs, and employees themselves. “This attack was clearly quite sophisticated, and IT and HR departments must share responsibility. We know that if hackers can get hold of employee data it can leave people feeling incredibly violated, so it’s really important that individuals understand the importance of taking care of their personal data too,” she said.
Employers should pay attention to cybersecurity as part of digital transformation, she added: “There have been plenty of warnings about this for some time. This isn’t an isolated incident and it should be looked at as an ongoing problem. When we think about digital transformation cybersecurity must be seen as a fundamental part of that, and there must be a robust plan in place for if the worst happens.”
Lesley Holmes, data protection officer at MHR, warned that the fine could in fact have been heavier. “This case is interesting in that the ICO is the lead for all of Europe on these cases. While the fine seems extremely high it could have actually been far worse. The maximum of 4% would have seen this levied at £488 million,” she told HR magazine.
While everything must be done to avoid a data breach, HR has a duty to ensure it is prepared for a similar event so it can then minimise the damage caused, she added: “Obviously this can have huge ramifications, and HR needs to think what it can do if there was a similar case in its organisation. In the case of BA you’ve got to wonder what sort of support employees were given. Were anti-fraud organisations involved?
“How will you deal with employees who might be incredibly distressed as a result of this? Cybersecurity is clearly a business issue; it’s up to HR to make sure it's thought through every scenario and that it has the leadership’s backing.”