British Airways faces a fine of more than £183m for breaching the new General Data Protection Regulation (GDPR), after an investigation by the Information Commissioner’s Office (ICO) found that hackers stole the personal data of 500,000 of the airline’s customers.
Details stolen include logins, payment cards, names, addresses and travel booking information, after customers using the airline’s website were diverted to a fake site. The ICO has said that the data breach happened because British Airways had “poor security arrangements” in place to protect customer information. The airline has since strengthened its web security.
The £183.4m fine, which is the first the ICO has proposed under GDPR, represents around 1.5% of British Airways’ £11.6bn global turnover from last year. This is less than the possible maximum penalties allowed under GDPR (see here for more information on fines under GDPR) but is significant in comparison to the £500,000 fine Facebook received under the Data Protection Act 1998 for the Cambridge Analytica scandal. This affected as many as 87 million users less than a year ago.
It appears as though the ICO have used this data breach case to demonstrate the impact of GDPR and how seriously it takes breaches of personal data. In a statement on the case, Elizabeth Denham has said “when you are entrusted with personal data you must look after it. Those that don’t will face scrutiny from [the ICO] to check they have taken appropriate steps to protect fundamental privacy rights”. The ICO’s article on the fine can be found here.
British Airways can now make representations to the ICO as to the proposed findings and sanction, which the ICO will take into consideration before it makes a final decision.
Disclaimer: Anything posted on this blog is for general information only and is not intended to provide legal advice on any general or specific matter. Please refer to our terms and conditions for further information. Please contact the author of the blog if you would like to discuss the issues raised.