Airline facing massive penalty after incident in which regulator claims the personal data of 500,000 customers was compromised

Credit: Horst Ossinger/DPA/PA Images

The Information Commissioner’s Office has hit British Airways with a fine of £183.4m for breaching the European General Data Protection Regulation – by far the largest such penalty ever imposed.

The fine relates to a large-scale cybertheft of BA customer data that took place last year. The ICO said that the incident “is believed to have begun in June 2018” and affected the personal information of about 500,000 customers. 

During the attack, a number of visitors to the airline’s website were “diverted to a fraudulent site” where their details were “harvested”, according to the regulator. 

The airline initially notified the regulator of the breach on 6 September 2018, with another notification related to the same incident provided on 25 October.

The ICO said that its subsequent investigation found that “a variety of information was compromised by poor security arrangements at the company, including log in, payment card, and travel booking details as well name and address information”.

The airline has been ordered to pay a fine of £183.39m – which equates to about 1.5% of the £12.27bn annual revenue BA posted in 2017. The size of the penalty is by far the largest ever handed out by a European data regulator – quadrupling the €50m fine imposed on Google by French authorities earlier this year.

Related content

• GDPR: how did we get here, and what on earth happens next?
• ICO strategy focuses on public awareness and FOI reform
• GDPR: Five things we will only discover after 25 May

However, it is still some way short of the maximum penalty available under GDPR, which is 4% of global turnover; in BA’s case, this would have been close to £500m. 

Such a fine would mark a thousandfold increase on the £500,000 penalty which, prior to the introduction of GDPR last year, was the stiffest penalty available to the ICO for many years.

Following the announcement of the BA fine, information commissioner Elizabeth Denham said: “People’s personal data is just that – personal. When an organisation fails to protect it from loss, damage or theft, it is more than an inconvenience. That’s why the law is clear – when you are entrusted with personal data you must look after it. Those that don’t will face scrutiny from my office to check they have taken appropriate steps to protect fundamental privacy rights.”

British Airways chief executive Alex Cruz claimed that that airline is “surprised and disappointed in this initial finding from the ICO”.

“British Airways responded quickly to a criminal act to steal customers’ data,” he said. “We have found no evidence of fraud [or] fraudulent activity on accounts linked to the theft. We apologise to our customers for any inconvenience this event caused.”

Willie Walsh, chief executive of BA parent company International Airlines Group added: “British Airways will be making representations to the ICO in relation to the proposed fine. We intend to take all appropriate steps to defend the airline’s position vigorously, including making any necessary appeals.”