British Airways faces a record fine for GDPR breach from ICO

The Information Commissioner’s Office has announced its intention to impose its biggest penalty to date and the first to be made public under the new GDPR rules. The proposed fine is £183m and relates to a data breach in 2018.

In June 2018 British Airways suffered a “sophisticated, malicious criminal attack” on its website, affecting approximately 500,000 customers. It became public knowledge in September of last year. The ICO’s investigation has found that a variety of information was compromised by poor security arrangements at the company, including log in, payment card, and travel booking details as well name and address information.. 

Information Commissioner Elizabeth Denham said: "People's personal data is just that - personal. When an organisation fails to protect it from loss, damage or theft, it is more than an inconvenience.

"That's why the law is clear - when you are entrusted with personal data, you must look after it. Those that don't will face scrutiny from my office to check they have taken appropriate steps to protect fundamental privacy rights."

As we can see from the following diagram (published on the BBC news website) this proposed fine is almost 400 times higher than the previous record fine, imposed under the Data Protection Act 1998.

The GDPR, which came into force less than a fortnight before this data breach, not only made it mandatory for organisations to inform the ICO of certain types of personal data breaches, but increased the maximum penalty to €20 million or 4% of the total worldwide annual turnover, whichever amount is the higher. The BA penalty amounts to 1.5% of its worldwide turnover in 2017, less than the possible maximum. BA has 28 days to appeal and it seems likely that they will do so.

The BBC’s Technology correspondent, Rory Cellan-Jones summed it up: “The message is clear - if you don't treat your customers' data with the utmost care expect severe punishment when things go wrong.”