GDPR: Record British Airways fine shows how data protection legislation is beginning to bite

The ICO's proposed £183m fine should act as a wake-up call for other organisations: make sure your cybersecurity and data protection policies are GDPR-compliant - or you could be next.
Written by Danny Palmer, Senior Writer

It was always only a matter of time, and a little over a year after General Data Protection Regulation (GDPR) came into force across Europe, a data protection agency has announced plans to issue the first mega-fine as the result of a data breach.

The UK's Information Commissioner's Office has declared that it intends to fine British Airways a record total of £183.4m because of a data breach it suffered during the summer of 2018.

The airline fell victim to a cyberattack that saw hackers gain access to personal information and credit card data of hundreds of thousands of its customers in an incident believed to have begun in June last year.

SEE: GDPR: A cheat sheet (TechRepublic)

The attack, apparently by the notorious cybercriminal group Magecart, only came to light in September – it's believed that over 500,000 customers purchasing flights on the British Airways website and mobile application had their data stolen in the attack.

Following an investigation, the ICO declared that customers' personal data was compromised as a result of "poor security arrangements" by the airline.

British Airways said it was "surprised and disappointed" by the fine and said there has been "no evidence of fraudulent activity on accounts linked to the theft" – but that hasn't prevented the ICO from making plans to issue the record penalty. 

British Airways is appealing against the prospect of the fine, but as it stands, the £183m figure is four times the size of the previous largest fine – that €50m penalty was issued to Google by the French data protection authority for a lack of transparency in its advertising. The £183m figure also eclipses the ICO's previous biggest fine of £500,000, which it issued to Facebook for its role in the Cambridge Analytica scandal

The move by the ICO is a significant milestone, not just because the planned fine is so much larger than others, but also because it represents the first major penalty notice issued on a wide-scale cyberattack that affected a multinational organisation and hundreds of thousands of its customers.

The ICO has yet to release its full report on why it has issued such a large fine, but it's likely the way in which this incident was so high-profile, and impacted so many people, has played some role in the decision.

By announcing plans to issue such a large fine, the ICO is also sending a message – not only to British Airways, but to other organisations – that GDPR is here and is a force to be reckoned with.

Other organisations will have seen this and could see it as an incentive to ensure that their cybersecurity and data compliance processes are fit for the digital age.

SEE: A winning strategy for cybersecurity (ZDNet special report) | Download the report as a PDF (TechRepublic)  

Under GDPR, they're already obligated for this to be the case, but the sheer scale of the proposed fine is undoubtedly going to act as a wake-up call for many companies.

It's worth remembering that GDPR isn't designed to exist as a bogeyman for catching organisations out, it's there to ensure that data protection is taken seriously.

It's entirely possible for an organisation to fall victim to a data breach and not receive a fine – so long as protection authorities and customers are informed of the breach within 72 hours of it coming to light and that the organisation is found to have done all it can to protect against and mediate the breach.

It's also worth noting that, while huge, the ICO's intended fine isn't the maximum. For British Airways, the potential fine amounts to 1.5% of its annual turnover in 2017, under half of the maximum GDPR penalty of 4% of annual turnover. If the ICO had deemed it appropriate, it could have issued a fine of over £450m. British Airways has 28 days to appeal against the decision – and parent company International Airlines Group intends to do so.

Many companies will be stunned to see such a potentially huge fine being issued so soon after the arrival of GDPR. But to ensure that they don't risk similar fines, organisations should look at their cybersecurity and data protection policies and ensure they are as strong as possible, sooner rather than later.


Editorial standards