British Airways receive £20million fine for data breach

2 mins

Posted on 19 Oct 2020

The ICO has fined British Airways (“BA”) £20million following a data security breach in 2018.


In July 2019, the ICO notified BA of its intention to issue it with a £183.39million fine. This followed a data security breach between 22 June 2018 and 5 September 2018. Hackers diverted user traffic to British Airways’ website and mobile app to a fraudulent site. On this false site, attackers harvested customers’ information. The attack compromised the data of around 429,612 people, including:

  • Names, addresses, payment card numbers and CVV numbers of 244,000 BA customers
  • The combined card and CVV numbers of 77,000 customers
  • Card numbers only for 108,000 customers
  • Usernames and passwords of BA employee and administrator accounts and
  • Usernames and PINs of up to 612 BA Executive Club accounts


After receiving written representations from BA, the ICO finalised its fine. It fined BA £20million, finding its data security measures inadequate. It suggested BA should have taken the following measures to mitigate or prevent the risk of an attacker being able to access the BA network:

  • Limiting access to applications, data and tools to those required to fulfil a user’s role
  • Undertaking rigorous testing, in the form of simulating a cyber-attack, on the business’ systems and
  • Protecting employee and third-party accounts with multi-factor authentication

The ICO noted BA’s security measures have improved significantly since the attack.

The ICO considered both representations from BA and the economic impact of Covid-19 before finalising the penalty.


This is the ICO’s biggest fine to date. However, it is significantly lower than the initial proposed fine. BA cooperated with the ICO in the investigations and notified the ICO promptly upon discovering the security breach. However, this was not enough to escape a penalty. £20million reflects the importance of customer data and the need to safeguard it properly. 

The day after the notice of intent to British Airways, the ICO had proposed a £99.2million fine to Marriott Group. We now wait to see if this fine will be similarly reduced.

The articles published on this website, current at the date of publication, are for reference purposes only. They do not constitute legal advice and should not be relied upon as such. Specific legal advice about your own circumstances should always be sought separately before taking any action.

Back to top