British Airways is facing a £183m fine from the Information Commissioner’s Office (ICO) under GDPR for a September 2018 security breach. In the incident, traffic to BA’s website was diverted to a fraudulent site, resulting in the personal data of approximately 500,000 customers being compromised.
The fine equates to 1.5 per cent of BA’s worldwide turnover in 2017, and far surpasses the previous record fine of £500,000 which Facebook was hit with in the Cambridge Analytica data scandal. The maximum fine under GDPR is 4 per cent of annual turnover.
In a statement, the ICO said its investigation found that a variety of information was compromised by poor security arrangements at the company, including log in, payment card, and travel booking details as well name and address information.
Information Commissioner Elizabeth Denham said: “People’s personal data is just that – personal. When an organisation fails to protect it from loss, damage or theft it is more than an inconvenience. That’s why the law is clear – when you are entrusted with personal data you must look after it. Those that don’t will face scrutiny from my office to check they have taken appropriate steps to protect fundamental privacy rights.”
British Airways said it was “surprised and disappointed” at the size of the fine. The company cooperated with the ICO investigation and has made improvements to its security arrangements since these events came to light. It will have the opportunity to make representations to the ICO as to the proposed findings and sanction.
Diane Yarrow, partner and commercial solicitor at law firm, Gardner Leader, described the fine as “substantial” and said it is invetibaler that BA will appeal it. She said: “This first large fine would always be hotly contested and in the next 28 days, we should learn more details of the basis on which BA will appeal the ICO’s decision, together with the ICO’s response to the appeal. The ICO will have to take into account; any action taken by BA to mitigate the damage suffered by data subjects, the degree of cooperation with the supervising authority and any other mitigating factors.
“Given the current GDPR guidelines it can be reasonably expected that any decision by the ICO will set a strong precedent for future large scale data breaches. Anyone who has not yet taken steps to ensure that they comply with GDPR should revisit what they need to do in the context of their business.”