British Airways facing £183m GDPR fine

British Airways is to appeal against a record fine for infringement of data protection rules for a breach of customer data in 2018

British Airways is facing the biggest UK fine to date under the EU’s General Data Protection Regulation (GDPR), but says it plans to appeal.

The Information Commissioner’s Office (ICO) has issued a notice of its intention to fine the airline of £183.39m for infringements of the GDPR.

Until now, apart from the €50m GDPR fine issued by the French data protection authority CNIL to Google, there have been few headline-making fines.

The proposed fine is the biggest ever to be handed down by the ICO and relates to a data breach reported to the ICO by British Airways in September 2018.

At the time the breach was reported, it was expected to be the first test case under the GDPR. Under the UK’s previous data protection laws, the biggest monetary penalty that could be handed down by the ICO was £500,000.

Under the GDPR, the ICO has the power to impose fines of up to 4% of global turnover. However, the proposed BA fine represents just 1.5% of BA’s turnover in 2017.

This data breach was the result of traffic to the British Airways website being diverted to a fraudulent site. Through this false site, customer details were harvested by the attackers.

Read more about GDPR

  • Despite the fact that the GDPR has been in full effect for a year, the true effect of the regulation is yet to be felt and organisations should ensure they keep their eye on the ball, says leading privacy law firm.
  • The first year of the EU’s GDPR has demonstrated the value of IBM’s investment in machine learning-based automation and the importance of having the right strategy and systems in place.
  • A year after the official implementation of the GDPR, it is important to highlight the positive opportunities that compliance provides and the insights breach reports are providing, say Deloitte consultants.

Personal data of approximately 500,000 customers were compromised in this incident, which is believed to have begun in June 2018.

ICO has been investigating this case as lead supervisory authority on behalf of other EU Member State data protection authorities. It has also liaised with other regulators.

The ICO said its investigation found that a variety of information was compromised by poor security arrangements at the company, including log in, payment card, and travel booking details as well name and address information.

Information Commissioner Elizabeth Denham said: “People’s personal data is just that – personal. When an organisation fails to protect it from loss, damage or theft it is more than an inconvenience. That’s why the law is clear – when you are entrusted with personal data you must look after it. Those that don’t will face scrutiny from my office to check they have taken appropriate steps to protect fundamental privacy rights.”

The ICO said BA has cooperated with the investigation and has made improvements to its security arrangements since the breach came to light.

The company now has 28 days to make representations to the ICO about the findings of its investigation and the proposed fine.

Willie Walsh, chief executive of BA owners International Airlines Group, has confirmed that the airline will make representations to the ICO, according to Reuters. “We intend to take all appropriate steps to defend the airline’s position vigorously, including making any necessary appeals,” he said.

Swift response

When it was made public, BA’s swift response to the breach earned plaudits from security commentators, and may form part of BA’s appeal.

Under the GDPR “one stop shop” provisions, the data protection authorities in the EU whose residents have been affected will also have the chance to comment on the ICO’s findings.

The ICO said it will “consider carefully” the representations made by the company and the other concerned data protection authorities before it takes its final decision.

Nik Whitfield, CEO of security firm Panaseer said the proposed BA fine is “game changing” for any company serving EU customers and “great news” for consumers’ privacy.

“This shareholder-affecting penalty creates the business case for global companies to invest the substantial sums required to continuously assure that their security controls are adequate, present and working effectively.

“Too often we see data breaches enabled by fundamental security measures not being switched on. New, automated approaches to assurance, such as continuous controls monitoring, will become standard practice, in the same way ERP systems have for the finance function.” 

Read more on Privacy and data protection

Data Center
Data Management