BA Faces Record £183.39m Fine For Massive Data Breach

The Information Commissioner’s Office (ICO) has said it plans to fine British Airways a record £183.39 million for a data breach last year that affected half a million customers.

The fine is the ICO’s largest to date and the first to be published under stricter data protection rules that took effect in May 2018.

The airline said it was “surprised and disappointed” by the decision, and said it planned to make representations to the regulator ahead of a final decision.

On 6 September of last year BA said it had discovered a hack of its systems that had resulted in customers’ data being harvested by attackers as it was entered.

Security breach

The hack, which began in June 2018, was in effect during the busy summer holiday period and is believed to have affected some half a million users, the ICO said.

The regulator said attackers had compromised details including logins, payment card numbers and travel booking details, as well name and address data due to “poor security arrangements” at BA.

“People’s personal data is just that – personal,” said information commissioner Elizabeth Denham. “When an organisation fails to protect it from loss, damage or theft it is more than an inconvenience.

“That’s why the law is clear – when you are entrusted with personal data you must look after it. Those that don’t will face scrutiny from my office to check they have taken appropriate steps to protect fundamental privacy rights.”

The ICO said BA had cooperated with the investigation and had improved its security arrangements.  The ICO carried out the probe as lead regulator on behalf of other EU member state data authorities.


BA will have the opportunity to make representations in the case ahead of a final decision, and said it planned to do so.

“We intend to take all appropriate steps to defend the airline’s position vigorously, including making any necessary appeals,” said Willie Walsh, chief executive of BA owner IAG.

BA chairman and chief executive Alex Cruz said the airline was “surprised and disappointed” by the initial finding.

“British Airways responded quickly to a criminal act to steal customers’ data,” he said. “We have found no evidence of fraud/fraudulent activity on accounts linked to the theft. We apologise to our customers for any inconvenience this event caused.”

The GDPR data protection rules that took effect last year increase possible fines from a maximum of £500,000 to up to 4 percent of a company’s annual turnover.

The proposed BA fine is about 1.5 percent of the airline’s £11.6bn worldwide turnover in 2018.

The ICO’s previous record fine of £500,000 was levied on Facebook for its involvement in the Cambridge Analytica scandal.

Matthew Broersma

Matt Broersma is a long standing tech freelance, who has worked for Ziff-Davis, ZDnet and other leading publications

Recent Posts

Meta Building Fastest AI Supercomputer In The World

Facebook building the world’s fastest AI supercomputer to help detect and moderate offensive posts and…

2 hours ago

Nvidia Preparing To Abandon $40bn ARM Acquisition – Report

Facing many regulatory probes and lawsuits, Nvidia tells its partners it is preparing to abandon…

3 hours ago

Vodafone To Switch Off 3G Network Next Year

Mobile operators press ahead with early retirement of old networks, as Vodafone sets 2023 deadline…

5 hours ago

Online Safety Bill Is A ‘Missed Opportunity,’ MPs Warn

DCMS committee says draft version of landmark online safety bill is not robust or clear…

7 hours ago

Julian Assange Wins Right To Ask Supreme Court For Extradition Appeal

Another twist. Julian Assange wins right to ask UK's Supreme Court if it will hear…

7 hours ago

ICO Disagrees With Government-Backed Encryption Campaign

UK data protection watchdog, the ICO, says encryption provides protections for children, after government-backed campaign…

8 hours ago