BA faces record £183m GDPR fine for data meltdown

British Airways has the dubious honour of becoming the first major UK brand to be pummelled by GDPR, with the company facing a £183.39m penalty for last year’s disastrous data breach, which saw the personal data of hundreds of thousands of customers compromised.

The intended fine, which represents 1.5% of the company’s global annual revenue, will not only be the first fine issued in the UK, it will also be the largest penalty issued anywhere in Europe under the new regulation. The previous record was set by the French authorities, who slapped Google with a €50m (£44m) fine in January.

It follows an extensive investigation by the Information Commissioner’s Office, sparked by a cyber attack which BA “self-reported” in September 2018.

The incident in part involved user traffic to the BA website being diverted to a fraudulent site. Through this false site, customer details were harvested by the hackers. Personal details of approximately 500,000 customers were compromised in the attack, which is believed to have begun in June 2018.

The ICO’s investigation found that a variety of information was compromised by poor security arrangements at “the world’s favourite airline”, including log in, payment card, and travel booking details as well name and address information.

The potential fine comes despite the fact that BA has fully co-operated with the ICO investigation and has made improvements to its security arrangements since these events came to light. The company will now have the opportunity to make representations to the ICO as to the proposed findings and sanction.

BA chairman and chief executive Alex Cruz insisted that there was no evidence of any fraudulent activity on accounts linked to the theft. He added: “We are surprised and disappointed in this initial finding from the ICO. British Airways responded quickly to a criminal act to steal customers’ data.”

The UK regulator has been investigating this case as lead supervisory authority on behalf of other EU member state data protection authorities, as the company is based in the UK. It has also liaised with other regulators. Under the GDPR ‘one stop shop’ provisions the data protection authorities in the EU whose residents have been affected will also have the chance to comment on the ICO’s findings.

The ICO insists it will consider carefully the representations made by the company and the other concerned data protection authorities before it takes its final decision. This could, just could, lead to a reduced fine.

Information Commissioner Elizabeth Denham said: “People’s personal data is just that – personal. When an organisation fails to protect it from loss, damage or theft it is more than an inconvenience. That’s why the law is clear – when you are entrusted with personal data you must look after it. Those that don’t will face scrutiny from my office to check they have taken appropriate steps to protect fundamental privacy rights.”