ICO intends to fine British Airways £183m for data breach

British Airways

British Airways could face a fine of £183 million as a result of a data breach that was disclosed by the airline on 6th September 2018. 

According to Sky News, the carrier today said that it had received notification from the Information Commissioner’s Office (ICO) of the regulator’s intention to issue BA with the record-breaking fine after customer data was stolen from the company’s website.

British Airways has said that it is “surprised and disappointed” by the financial penalty, which could be the heaviest fine handed out yet by the ICO in the GDPR era.

Facebook holds the current record for having the biggest data breach fine, after it was issued a £500,000 penalty for its part in the Cambridge Analytica scandal – the maximum penalty permitted under pre-GDPR data laws.

Under the GDPR, a data breach can lead to a company being fined €20m or 4% of annual turnover. BA’s prospective fine would represent just 1.5% of its global turnover.

At the time of the data breach, IAG-owned British Airways said hackers had perpetrated a “sophisticated, malicious criminal attack” on the firm’s website.

As reported by BBC News, IAG chief, Willie Walsh underlined BA’s intention to make representations against the ICO.

“We intend to take all appropriate steps to defend the airline’s position vigorously, including making any necessary appeals,” Walsh said.

Data exposed in the breach comprised customer names, email addresses, payment card information, credit card numbers, expiry dates and credit card security codes. However, BA has said that CVV numbers had not been stored.

The company had previously divulged that around 380,000 transactions had been hit by the breach, but that passport details and travel information had not been among the data stolen.

British Airways chairman and chief executive, Alex Cruz, said:

“We are surprised and disappointed in this initial finding from the ICO. British Airways responded quickly to a criminal act to steal customers’ data. We have found no evidence of fraud/fraudulent activity on accounts linked to the theft.

“We apologise to our customers for any inconvenience this event caused.”


PrivSec Conferences will bring together leading speakers and experts from privacy and security to deliver compelling content via solo presentations, panel discussions, debates, roundtables and workshops.

For more information on upcoming events, visit the website.

We have been awarded the number 1 GDPR Blog in 2019 by Feedspot.

Privacy Culture: Data Privacy and Information Security Consulting, Culture & Behaviour, Training, and GDPR maturity, covered. https://www.privacyculture.com/