Flying Too Close to The Sun: British Airways to be fined a record £183 million by the ICO for breach of GDPR regulation
July 18, 2019
3 min read
What's going on here?
The British Information Commissioner’s Office (ICO) has handed British Airways the largest fine to date (equal 1.5% of BA’s worldwide turnover) for breaching new GDPR regulation last summer when hackers stole personal data of around 500,000 customers from BA’s website.
What does this mean?
Between 21st August and 5th September last summer BA informed half a million customers that personal details, including bank details, had been stolen from around 380,000 booking transactions. It is thought that the airline was attacked by the same group of hackers (named Magecart) that had cyberattacked Ticketmaster in June 2018. At the time, BA faced a class action lawsuit led by SPG Law, as well as knowing that they would be under the hammer of GDPR laws which has raised the maximum fine from £500,000 to 4% of any guilty party’s worldwide turnover. Commentators at the time predicted that the fine would be a large enough sum in order for the ICO to demonstrate its new powers, but not so much that it would shock companies. Instead BA has been hit with a much heftier fine than was foreseen. Nevertheless, it is still a long way off the maximum penalty which, in the case of BA, would have equated to £500 million.
BA offered full compensation at the time of the attack to any customers that were affected but has not provided any further information on whether anything has been paid. They now have 28 days to appeal the ICO’s decision.
What's the big picture effect?
This is a strong signal from the ICO that breaching GDPR entails serious consequences. Information Commissioner Elizabeth Denham noted that failing to protect people’s personal data is more than “just an inconvenience” and that the “law is clear – when you are entrusted with personal data, you must look after it”. BA have subsequently co-operated with the investigation and taken the necessary steps to improve their security arrangements.
However, as steep as £183 million may sound, other companies could face much more severe fines. One such company is Facebook; it is currently under investigation by the ICO for a breach that left 50 million users’ accounts exposed. Another company that could face equally severe consequences is Google which, as a result of a breach, exposed 50 million users’ data on their G+ social network platform, which was later shut down. Although it is true that £183 million dwarfs the former record fine of £500,000, the fine that was imposed under the old legislation on Facebook over the Cambridge Analytica scandal, it seems larger fines are yet to come. When you consider the new cap of 4% of worldwide turnover, the fine given to British Airways (which is just 1.5% of their turnover) could be considered lenient. It may currently hold the title of largest GDPR fine but this is unlikely to last long. The ICO has signalled to tech giants that the handling of users’ data is something which requires serious consideration.
For BA this could seriously damage their reputation when it comes to customer security. Consequently, their share price and public perception is likely to suffer with a fine that has made it into so many headlines. It seems likely that the chief executive of BA’s owner IAG will appeal the decision by the watchdog, stating that “British Airways responded quickly to a criminal act to steal customers’ data. We have found no evidence of fraud/fraudulent activity on accounts linked to the theft”. He added that he was “surprised and disappointed” by the ICO’s conclusion and that he would “take all appropriate steps to defend the airline’s position vigorously, including making any necessary appeals”.
Whether the ICO will hold fast to its strong new protection of personal data or whether it will crumble once challenged on appeal remains to be seen.
Report written by Will Holmes
Share this now!
Check out our recent reports!