UK’s Information Commissioners Office (ICO) to fine British Airways £183.39m for breach of GDPR

the UK’s Information Commissioners Office (ICO) have issued a notice of their intention to fine British Airways £183.39 Million for a breach of the General Data Protection Regulation (GDPR).

The proposed fine relates to a cyber incident in September 2018 in which users of the British Airways website were diverted to a fraudulent site where customer details were harvested by the attackers.

It is thought that the personal data of approximately 500,000 customers were compromised in this incident, which is believed to have begun in June 2018.

The ICO’s investigation has found that customer information was compromised because of poor security arrangements at the company.  The personal data concerned included log in details, payment card information, and travel booking details as well name and address information.

Information Commissioner Elizabeth Denham said:

“People’s personal data is just that – personal. When an organisation fails to protect it from loss, damage or theft it is more than an inconvenience. That’s why the law is clear – when you are entrusted with personal data you must look after it. Those that don’t will face scrutiny from my office to check they have taken appropriate steps to protect fundamental privacy rights.”

British Airways will now have opportunity to make representations to the ICO as to the proposed findings and sanction.

ICO has been investigating this case as lead supervisory authority on behalf of other EU Member State data protection authorities. It has also liaised with other regulators. Under the GDPR ‘one stop shop’ provisions the data protection authorities in the EU whose residents have been affected will also have the chance to comment on the ICO’s findings.

If you’re not sure about how to protect personal data that you’re processing, we’re here to help.  see