UK ICO fines British Airways £20M for data breach

The long-awaited fine on British Airways (BA), announced today, for its data breach that affected 400,000 of its customers after a cyber-attack in 2018 is just over 9% of the sum originally proposed.

In 2019, the ICO issued a statement regarding its notice of intention to fine British Airways £183.39M for infringements of the EU GDPR.

BA clearly expected to be treated leniently as the IAG (parent company of British Airways) Interim Management Report of this summer suggested that ‘an exceptional expense of €22 million has been recorded in respect of a provision in relation to the theft of customer data at British Airways in 2018.’

The ICO applied the legislative framework in conjunction with the ICO’s Regulatory Action Policy, which states that before issuing fines it takes into account economic impact and affordability. This Policy is currently under review as part of the ICO’s consultation on its Statutory Guidance.

The current fine has been delayed for months as the ICO allowed extra time for representations. The ICO is sympathetic towards the pandemic effects of COVID-19 on BA.

Since the attack, BA has made considerable improvements to its IT security, the ICO says.

‘Because the BA breach happened in June 2018, before the UK left the EU, the ICO investigated on behalf of all EU authorities as lead supervisory authority under the GDPR. The penalty and action have been approved by the other EU DPAs through the GDPR’s cooperation process,’ the ICO says.

See ICO News