0370 1500 100

First Major UK GDPR Fine: ICO Announces Intention To Fine British Airways £183m For Data Breach

Irwin Mitchell Say This Is A Sign Of Things To Come From The Regulator

08.07.2019

David Shirt, Press Officer | 0161 838 3094

The Information Commissioner’s Office is to fine British Airways £183million after hackers stole the personal data by diverting around 500,000 of the airline’s customers to a fraudulent website.

The ICO said the data breach began in June 2018 and following extensive investigation found that the incident involved customer details being compromised including login, payment card, name, address and travel booking information.

Information Commissioner Elizabeth Denham said: “People’s personal data is just that – personal. When an organisation fails to protect it from loss, damage or theft it is more than an inconvenience. That’s why the law is clear – when you are entrusted with personal data you must look after it. Those that don’t will face scrutiny from my office to check they have taken appropriate steps to protect fundamental privacy rights.”

Alex Cruz, the chair and chief executive of British Airways: “We are surprised and disappointed in this initial finding from the ICO. British Airways responded quickly to a criminal act to steal customers’ data. We have found no evidence of fraud/fraudulent activity on accounts linked to the theft. We apologise to our customers for any inconvenience this event caused.”

Lauren Burrows, an associate at Irwin Mitchell, said: "The fine is indicative of the ICO’s enforcement appetite and sends a clear message that they are not afraid to exercise their powers. Prior to the General Data Protection Regulation coming in to force the maximum fine that could be levied in the UK was £500,000. The maximum fine that can now be imposed against an organisation is up to 4% of global annual turnover.

"The intended fine amounts to about 1.5% of the airline’s worldwide turnover last year, whilst it might not provide much comfort to British Airways the fine could have been much higher.  

"This is expected to be the first of many fines from the ICO as they have hinted more are to come over the coming months following the conclusion of a number of investigations. We expect this to be a very active period for the UK regulator."

British Airways, which has since improved its web security, can appeal against the findings and scale of the fine before a final decision by the ICO. 

The ICO will consider carefully the representations made by the company and the other concerned data protection authorities before it takes its final decision.

ICO's full statement can be viewed here.