British Airways faces record data breach fine


3 mins

Posted on 08 Jul 2019

British Airways is set to receive the largest ever fine for a data breach. The proposed £183.39 million fine surrounds breaches of its security systems for customers’ data.

The Information Commissioner’s Office (“ICO”) confirmed its intention to fine British Airways on Monday 8 July. This is the first publicised fine from the ICO under the GPDR.

Why are British Airways being fined? 

The breach arose following sophisticated hackers attacking British Airways’ website. User traffic to its website and mobile app was diverted to a fraudulent site. On this false site, attackers harvested customers’ information. Various customer details were compromised, including login details, payment card details and travel arrangements. 

British Airways disclosed the incident to the ICO on 6 September 2018. The ICO’s findings suggest that data had been compromised since around June 2018. 

What is the penalty for a GDPR breach? 

Under the GDPR, the maximum penalty is €20 million or 4% of annual global turnover (whichever is higher). £183 million is around 1.5% of British Airways’ global turnover in 2017. 

British Airways now has 28 days to appeal and make representations before the sanction is finalised. 

What will be the implications of this sanction?

We have seen the ICO flex its muscles more in recent months when issuing fines. However, until now these fines have been under the Data Protection Act 1998 (where the maximum fine was £500,000). This is the first time we have seen the ICO set to utilise new higher penalties under GDPR.

Earlier this year we saw the French data regulator CNIL hit Google with a €50 million fine. This shows how data regulators across Europe are willing to utilise their increased powers if required. 

Since the GDPR’s introduction, the number of complaints (by individuals) and reported security breaches (by organisations) to the ICO have increased significantly. The ICO‘s workload has therefore increased and we can expect it to publish more decisions under GDPR. 

While the penalty imposed on British Airways was less than the maximum available (and at 1.5% of annual global turnover is less than half the maximum), it demonstrates that organisations can face huge fines for data security breaches. In its report, the ICO noted that British Airways had cooperated with the investigations and made improvements to its security systems. However, this was not enough to escape a substantial fine. 

British Airways also faced high media attention when it notified the security breach in September, which shows how brand reputation is also a key factor. 

Organisations need to continually monitor their security mechanisms. Compliance is an ongoing process, so even if they took measures in preparation for 25 May 2018, they need to keep these under review. This latest notice should act as a wake-up call to organisations to ensure their systems are up to date in order to avoid these increased penalties. 

The articles published on this website, current at the date of publication, are for reference purposes only. They do not constitute legal advice and should not be relied upon as such. Specific legal advice about your own circumstances should always be sought separately before taking any action.

Back to top