BA allots £20m for GDPR fine but may not pay a penny

British Airways appears confident of securing a huge reduction in its proposed £183m fine for breaching GDPR, with its latest results showing the airline has set aside just €22m (£19.78m) – a markdown of nearly 90% – although one data protection expert reckons it may end up paying nothing.

The issue dates back to September 2018, when BA “self-reported” a cyber attack, triggering an extensive investigation by the Information Commissioner’s Office.

The incident in part involved user traffic to the BA website being diverted to a fraudulent site. Through this false site, customer details were harvested by the hackers. Personal details of approximately 500,000 customers were compromised in the attack, which is believed to have begun in June 2018.

The ICO’s investigation found that a variety of information was compromised by poor security arrangements at “the world’s favourite airline”, including log in, payment card, and travel booking details as well name and address information.

At the time, Information Commissioner Elizabeth Denham said: “People’s personal data is just that – personal. When an organisation fails to protect it from loss, damage or theft it is more than an inconvenience. That’s why the law is clear – when you are entrusted with personal data you must look after it. Those that don’t will face scrutiny from my office to check they have taken appropriate steps to protect fundamental privacy rights.”

The regulator then issued a “notice of intent” on July 8 2019 to fine the airline £183m; a day later it issued another notice of intent to fine Marriott International £99m for a cyber incident which exposed 339 million customer records globally, of which over 30 million were in the EU and 7 million in the UK.

Both companies insisted they would fight the fines; cue months of legal wrangling.

Since then, the ICO has been forced to delay issuing the final penalty three times; the most recent setback was revealed in May when Denham used a conference address to blurt out that both decisions would be postponed until at least August. There has been no official announcement on any of the adjournments.

Even so, in the “exceptional items” section of IAG Group’s consolidated results for the six months to June 30, 2020, published on Friday, the company states: “The exceptional charge of €22 million represents management’s best estimate of the amount of any penalty issued by the ICO in the United Kingdom, relating to the theft of customer data at British Airways in 2018.

“The process is ongoing and no final penalty notice has been issued. The exceptional charge has been recorded within Property, IT and other costs in the Income statement, with a corresponding amount recorded in Provisions.”

In response, Mishcon de Reya data protection advisor Jon Baines believes the fine may never materialise. In a blog post, he said: “The effect of Covid-19 on the global travel sector was almost bound to lead the ICO to review the matters.

“It is notable that IAG talk about ‘any penalty’. Given the length of time which has elapsed since the original trigger hacking incident, and since the ICO announced its intention to fine, it must be far from certain that, ultimately, a fine of any sort will be issued.”