GDPR: British Airways faces record £183m fine for customer data breach

Information Commissioner's Office intends to fine airline for “poor security arrangements” - British Airways says it's “surprised and disappointed” by planned penalty.
Written by Danny Palmer, Senior Writer

British Airways is facing the prospect of a £183.4m fine following a cyberattack against its systems last year.

The proposed record penalty from the Information Commissioner's Office comes following a data breach which is thought to have affected hundreds of thousands of customers who used the British Airways website between April and June 2018. The breach was disclosed in September.

This incident in part involved user traffic to the British Airways website being diverted to a fraudulent site, and personal details of around 500,000 customers were harvested by the attackers during this incident, which is believed to have begun in June 2018.

SEE: My stolen credit card details were used 4,500 miles away. I tried to find out how it happened (cover story PDF) (TechRepublic)

The ICO has announced its intention to issue the fine under General Data Protection Regulation, the European Union data protection laws that were introduced in May last year – and the planned figure is by far the largest penalty notice issued under GDPR.

The customers' personal data and credit card information is thought to be have been stolen by a cybercriminal operation known as Magecart. The hacking group is known for breaching online stores and hiding JavaScript code that steals credit card information entered into store checkout pages. 

Following what's described as an "extensive investigation", the ICO has concluded that information was compromised by "poor security arrangements" at British Airways. This relates to security around log in, payment card, and travel booking details, as well name and address information.

"People's personal data is just that – personal. When an organisation fails to protect it from loss, damage or theft it is more than an inconvenience," said information commissioner Elizabeth Denham.

"That's why the law is clear – when you are entrusted with personal data you must look after it. Those that don't will face scrutiny from my office to check they have taken appropriate steps to protect fundamental privacy rights."

British Airways chairman and chief executive Alex Cruz said the company is "surprised and disappointed" at the ICO's findings, claiming the company found "no evidence of fraudulent activity on accounts linked to the theft".

British Airways has 28 days to appeal against the decision – and parent company International Airlines Group intends to do so.

"British Airways will be making representations to the ICO in relation to the proposed fine. We intend to take all appropriate steps to defend the airline's position vigorously, including making any necessary appeals," said IAG chief executive Willie Walsh.

An ICO statement says it will "consider carefully the representations made by the company and the other concerned data protection authorities before it takes its final decision". The final figure for the fine could be lower.

The previous highest penalty issued by the ICO under was a £500,000. This was the maximum which could be levied under the old rules and was most recently to Facebook for its role in the Cambridge Analytica scandal.


Editorial standards