News Hub

BA landed with record £183m fine for data breach

Written by Mon 8 Jul 2019

British Airways

ICO fine amounts to 1.5 percent of the airline’s annual turnover

British Airways is set to be fined more than £183 million over the 2018 data breach that saw 380,000 customer payment cards compromised.

Alex Cruz, BA chairman and chief executive said he was “surprised and disappointed” by the proposed penalty from the Information Commissioner’s Office (ICO).

Willie Walsh, who runs the British Airways parent company IAG, said the firm will “defend the airline’s position vigorously, including making any necessary appeals.”


The ICO is penalising BA in accordance with new GDPR rules, which necessitate that companies report data security breaches to the information commissioner no later than 72 hours after becoming aware of them.

The Information Commissioner said the incident was believed to have begun in June 2018, though BA did not disclose the breach until 6 September 2018.

It is the first GDPR penalty imposed by the ICO to be made public since the new rules came into effect. GDPR regulations stipulate that companies that breach them can be fined up to a maximum of 4 percent of their annual turnover. BA’s fine amounts to 1.5 percent of the airline’s 2017 turnover.

The ICO said hackers exploited poor security arrangements at the airline by diverting users of the airline’s website to a fraudulent site that harvested their names, email addresses and credit card information, such as credit card numbers, expiration dates and the three-digit CVV code, although BA has said it did not store CVV numbers.

The ICO said around 500,000 customers were affected.

“People’s personal data is just that – personal. When an organisation fails to protect it from loss, damage or theft, it is more than an inconvenience,” said Information Commissioner Elizabeth Denham,

“That’s why the law is clear – when you are entrusted with personal data, you must look after it. Those that don’t will face scrutiny from my office to check they have taken appropriate steps to protect fundamental privacy rights.”

Written by Mon 8 Jul 2019


british airways data breach data privacy GDPR
Send us a correction Send us a news tip