On July 8, 2019, the United Kingdom Information Commissioner’s Office (ICO) announced its intention to fine British Airways an unprecedented £183.39m in response to a data breach incident last year that affected approximately 500,000 customers.

British Airways first disclosed the incident to the ICO in September 2018, in accordance with its obligations under the European Union’s General Data Protection Regulations (GDPR), informing the regulatory body that users of the airline’s website were diverted to a fraudulent site that harvested personal information of about 500,000 customers.  The data breach incident was a result of poor security arrangements by British Airways that compromised personal information such as names, addresses, email addresses, travel-booking details and credit card information of the individuals affected.  The ICO stated that British Airways has co-operated with the investigation and has made improvements to both its website and security arrangements since the incident took place.

In response to the ICO’s announcement, British Airways’ chair and chief executive Alex Cruz said the company was “surprised and disappointed” by the ICO’s decision, and that there is no evidence suggesting that the personal information harvested by the attackers was misused.

The intended fine amounts to 1.5% of British Airways 2017 worldwide turnover, which is far below the maximum penalty under GDPR of 4% of a company’s worldwide turnover.  However, the ICO’s fine stands as the highest the UK data watchdog has ever announced, eclipsing the £500,000 fine against Facebook in response to the Cambridge Analytica scandal that affected millions of users. 

British Airways will now have the opportunity to make representations to the ICO as to the proposed findings and sanction, and the ICO will also consider representations made from other EU data protection authorities before taking its final decision.

Summary By: Hashim Ghazi


19 07 10

Disclaimer: This Newsletter is intended to provide readers with general information on legal developments in the areas of e-commerce, information technology and intellectual property. It is not intended to be a complete statement of the law, nor is it intended to provide legal advice. No person should act or rely upon the information contained in this newsletter without seeking legal advice.

E-TIPS is a registered trade-mark of Deeth Williams Wall LLP.