BA Faces Record £183.39m Fine For Massive Data Breach

The Information Commissioner’s Office (ICO) has said it plans to fine British Airways a record £183.39 million for a data breach last year that affected half a million customers.

The fine is the ICO’s largest to date and the first to be published under stricter data protection rules that took effect in May 2018.

The airline said it was “surprised and disappointed” by the decision, and said it planned to make representations to the regulator ahead of a final decision.

On 6 September of last year BA said it had discovered a hack of its systems that had resulted in customers’ data being harvested by attackers as it was entered.

Security breach

The hack, which began in June 2018, was in effect during the busy summer holiday period and is believed to have affected some half a million users, the ICO said.

The regulator said attackers had compromised details including logins, payment card numbers and travel booking details, as well name and address data due to “poor security arrangements” at BA.

“People’s personal data is just that – personal,” said information commissioner Elizabeth Denham. “When an organisation fails to protect it from loss, damage or theft it is more than an inconvenience.

“That’s why the law is clear – when you are entrusted with personal data you must look after it. Those that don’t will face scrutiny from my office to check they have taken appropriate steps to protect fundamental privacy rights.”

The ICO said BA had cooperated with the investigation and had improved its security arrangements.  The ICO carried out the probe as lead regulator on behalf of other EU member state data authorities.


BA will have the opportunity to make representations in the case ahead of a final decision, and said it planned to do so.

“We intend to take all appropriate steps to defend the airline’s position vigorously, including making any necessary appeals,” said Willie Walsh, chief executive of BA owner IAG.

BA chairman and chief executive Alex Cruz said the airline was “surprised and disappointed” by the initial finding.

“British Airways responded quickly to a criminal act to steal customers’ data,” he said. “We have found no evidence of fraud/fraudulent activity on accounts linked to the theft. We apologise to our customers for any inconvenience this event caused.”

The GDPR data protection rules that took effect last year increase possible fines from a maximum of £500,000 to up to 4 percent of a company’s annual turnover.

The proposed BA fine is about 1.5 percent of the airline’s £11.6bn worldwide turnover in 2018.

The ICO’s previous record fine of £500,000 was levied on Facebook for its involvement in the Cambridge Analytica scandal.

Matthew Broersma

Matt Broersma is a long standing tech freelance, who has worked for Ziff-Davis, ZDnet and other leading publications

Recent Posts

US DoJ Charges Six Russian GRU Officers For Cyberattacks

Hackers also targeted this year's delayed Olympic Games in Tokyo says UK, as the US…

1 hour ago

Google Discloses Biggest-Ever DDoS Attack

Google says it successfully fended off a 2.5 Tbps denial-of-service attack in 2017, making it…

1 day ago

Microsoft Issues Two Emergency Windows Patches

Microsoft publishes out-of-band patches for bugs in Visual Studio Code and Windows Codecs Library that…

1 day ago

Zoom Introduces Paid Events, In-Meeting Apps

Zoom aims to capitalise on its massively increased user base with platform for paid events…

1 day ago

European Telecoms Trade Group Warns Against Banning Chinese Vendors

Banning Chinese telecoms equipment vendors for political reasons will increase costs and delay network upgrades,…

1 day ago

Twitter Changes Policy On Blocking ‘Hacked Materials’

Twitter will no longer block links to articles containing hacked materials, following criticism over treatment…

1 day ago