Skip to main content

British Airways gets hammered with a record £183m fine for data breach

British Airways
Image credit: Pixabay
(Image credit: Pixabay)

The ICO has penalized British Airways with a record fine of £183 million for a data breach that occurred last year.

The incident came to light last September, when British Airways revealed that a sophisticated hack had led to 380,000 customer accounts being compromised, although that initial figure turned out to be an underestimation, with some 500,000 people actually affected, the ICO reckons.

Those folks had the likes of names, addresses, emails, credit card numbers and expiry dates – as well as the security codes on the rear of cards – stolen over a two-week period beginning on August 21, we were told at the time. Although the ICO claims that the thefts began occurring as early as June 2018.

The hackers diverted victims to a fraudulent site where all these details were successfully harvested.

Fundamental privacy rights

Information Commissioner Elizabeth Denham commented: “People’s personal data is just that – personal. When an organization fails to protect it from loss, damage or theft it is more than an inconvenience.

“That’s why the law is clear – when you are entrusted with personal data you must look after it. Those that don’t will face scrutiny from my office to check they have taken appropriate steps to protect fundamental privacy rights.”

And in this case, that investigation has led to a proposed £183.4 million fine.

British Airways said it was ‘surprised and disappointed’ at the verdict according to a BBC report, and will get the opportunity to make its case as to why this penalty is overly harsh.

The ICO further noted: “British Airways has cooperated with the ICO investigation and has made improvements to its security arrangements since these events came to light. The company will now have opportunity to make representations to the ICO as to the proposed findings and sanction.”

The ICO will then consider the airline’s arguments, as well as input from other data protection authorities, before the decision on the penalty is finalized.