ICO intends to fine British Airways £184m under GDPR

July 7, 2019

The ICO has issued a notice of its intention to fine British Airways £183.39M for infringements of the General Data Protection Regulation (GDPR).

The proposed fine arises from a cyber incident notified to the ICO by British Airways in September 2018, but which was believed to have started in June 2018, in which the personal data of approximately 500,000 customers were compromised, in part because users were directed to a fraudulent site where hackers harvested the data. 

The ICO found that information was compromised by poor security arrangements and the compromised data included log in, payment card, travel booking details, name and address information.

Information Commissioner Elizabeth Denham said:

“People’s personal data is just that – personal. When an organisation fails to protect it from loss, damage or theft it is more than an inconvenience. That’s why the law is clear – when you are entrusted with personal data you must look after it. Those that don’t will face scrutiny from my office to check they have taken appropriate steps to protect fundamental privacy rights.”

The ICO says that British Airways has cooperated with the investigation and will now have opportunity to make representations as to the proposed findings and sanction.

The proposed fine equates to roughly 1.5% of British Airways £13bn turnover in 2018.