Back to top
News In Focus

GDPR breach could cost British Airways £183m

8 July 2019

A cybersecurity breach in which personal data of around half a million customers of British Airways were diverted to a fraudulent website could cost the company a £183m fine.

The UK Information Commissioner's Office today issued a notice of its intention to fine the airline £183.39m, following an extensive investigation for infringements of the General Data Protection Regulation (GDPR) between June and September 2018.

The potential fine represents one of the first under the GDPR that has gone over the previous maximum of £500,000. GDPR allows for a fine of up to 4% of global turnover or €20m. The sum proposed amounts to 1.5% of British Airways' worldwide turnover in 2017. 

Through the false website, the attackers harvested customer details including login, payment card, and travel booking details as well as name and address information.

The ICO’s investigation found that a variety of information was compromised by poor security arrangements at British Airways. The company has cooperated with the ICO investigation and has since made improvements to its security arrangements. It will now have opportunity to make representations to the ICO as to the proposed findings and sanction.

ICO has been investigating this case as lead supervisory authority on behalf of other EU member state data protection authorities. It has also liaised with other regulators. Under the GDPR "one stop shop" provisions, the data protection authorities in the EU whose residents have been affected will also have the chance to comment on the ICO’s findings.

In a statement the ICO said it would consider carefully the representations made by the company and the other concerned data protection authorities before it took its final decision.

Information Commissioner Elizabeth Denham commented: "People’s personal data is just that – personal. When an organisation fails to protect it from loss, damage or theft it is more than an inconvenience. That’s why the law is clear – when you are entrusted with personal data you must look after it. Those that don’t will face scrutiny from my office to check they have taken appropriate steps to protect fundamental privacy rights."

Rachel Aldighieri, managing director of the Data & Marketing Association (DMA), said: "This is the first fine the ICO has announced under the new GDPR laws and the level of the proposed fine is unprecedented in the UK, highlighting the importance all businesses should place on the security of customers’ data.

She added: "The risks to BA go beyond the potential fines regulators can issue too: the long-term effects on customer trust, share price and public perception could have more lasting damage."

Have your say