British Airways Data Breach

10 July 2019

Author: Rosanne Brennan


The ICO has released a statement notifying its intention to fine British Airways (BA) £183.39 million following a cyber-attack on the airline’s website in September 2018, which saw the personal data of approximately 500,000 customers harvested by cyber criminals, including payment card information, travel details and names and addresses. The ICO is entitled to fine an organisation up to 4% of its global turnover for a serious breach of the General Data Protection Regulation. In this case, the proposed fine amounts to just over 1.45% of BA’s global turnover (for 2018) and is a clear signal to organisations that ICO is willing to use its powers to full effect.

The Information Commissioner, Lady Denham said, "... when you are entrusted with personal data you must look after it. Those that don't will face scrutiny from my office to check they have taken appropriate steps to protect fundamental privacy rights." We are yet to see any substantial fines under the GDPR regime which was introduced in May last year but this is certainly setting a significant benchmark. BA is entitled to appeal the ruling and is likely to make representations to the ICO, which may see the level of the fine being reduced.

It is clear that expectations are high when it comes to data protection compliance and no matter how efficient the response to a data breach, such an occurrence could go beyond a ‘PR’ disaster for the organisation in question but could also seriously undermine financial performance or, in the worst case, even its survival.

If you have any concerns regarding data protection compliance or would like to talk to one of our information law experts, please get in touch at [email protected]