Share this content

British Airways set to become UK's first major GDPR casualty with £183m fine

8th Jul 2019
Share this content

British Airways is to be fined £183m by the UK's data regulator, after a data breach that saw 500,000 customer data records stolen. 

The airline revealed the data breach back in September 2018, with the personal and financial records of customers being compromised following a website and mobile app hack.

Since then, the Information Commissioner's Office (ICO) has been investigating the breach to establish its severity. 

The £183m fine is said to be around 1.5% of £11.6bn in global turnover. 

“People’s personal data is just that – personal,” said the information commissioner, Elizabeth Denham.

“When an organisation fails to protect it from loss, damage or theft it is more than an inconvenience. The law is clear, when you are entrusted with personal data you must look after it. Those that don’t will face scrutiny from my office to check they have taken appropriate steps to protect fundamental privacy rights.”

Under GDPR legislation, any business experiencing a data breach must inform regulators within 72 hours of becoming aware of the incident, which BA was able to achieve back in September. 

Up until this point, the ICO had yet to hand out any major fines under the new legislation, and earlier last year, the regulator's head of risk and governance at the  Louise Byers stated:

“Our policy makes it clear that we won’t be changing our approach to fines in four days’ time. Our aim is to prevent harm, to put support and compliance at the heart of our regulatory action. Voluntary compliance is the preferred route, but we will back this up with strong action where necessary. Hefty fines can be and will be levied on those organisations that persistently, deliberately or negligently flout the law.”

Byers added: “If you report a breach to us, engage with us and show us effective accountability measures, then we will take this into account when considering regulatory action.”

Alex Cruz, British Airways' chairman and chief executive was combative in response to the fine: 

“We are surprised and disappointed in this initial finding from the ICO.

"British Airways responded quickly to a criminal act to steal customers’ data. We have found no evidence of fraud/fraudulent activity on accounts linked to the theft. We apologise to our customers for any inconvenience this event caused.”

The data breach came after a year in which BA's fortunes slid greatly, from a customer viewpoint.

Its World Airline Award ranking had slipped from 1st in 2006 to 40th in 2017. And whilst profits were up last year after a similar slide, its customer service ranking has plunged in recent years.

Research by Which? shows the airline received a customer score of just 52% - a drop from 67% in 2016, putting it third-bottom amongst short-haul carriers.  


Replies (1)

Please login or register to join the discussion.

Chris Ward
By Chris Ward
09th Jul 2019 21:54

*Update on 9th July, from the ICO in relation to the intent to also fine hotel chain Marriott International £99m for 2014 data breach, notified to the ICO last year:

Thanks (0)