Record GDPR fine for BA

British Airways (BA) is on the receiving end of a GDPR fine of £183m from the Information Commissioner’s Office (ICO), following a 2018 security breach.

This is the biggest fine ever handed out by the independent body set up to uphold information rights, and the first to be made public under new rules.

Why has BA been fined?

The BA security breach compromised the data of about half-a-million customers, who were diverted from BritishAirways.com to a fraudulent website which took all manner of details, including names, addresses, log in, payment card, and travel booking details as well name and address information. 

The ICO said the incident took place after users of British Airways’ website were diverted to a fraudulent site. Through this false site, details of around 500,000 customers were harvested by the attackers, the ICO said.

Information Commissioner Elizabeth Denham said: “People’s personal data is just that – personal. When an organisation fails to protect it from loss, damage or theft, it is more than an inconvenience.

“That’s why the law is clear – when you are entrusted with personal data, you must look after it. Those that don’t will face scrutiny from my office to check they have taken appropriate steps to protect fundamental privacy rights.”

What is GDPR

GDPR, or General Data Protection Regulation, is data protection legislation designed to change how businesses and public sector organisations can use and handle customer information, and give individuals greater control over how organisations contact them and use their data.

It came into force across the EU on May 25, 2018, and will remain part of UK legislation even if the UK leaves the EU with no deal.

For more information on GDPR, check out our small business guide to GDPR.

Why has BA been fined so much?

BA’s £183.39 million fine is far and away the biggest ever for a data breach. This could be because the rule changes meant companies can be charged a lot more than in the past – before GDPR, the maximum fine that could be issued under the Data Protection Act was £500,000, it’s now €20 million of 4% of a company’s global turnover.

Although a severe breach, it seems BA’s record fine is down to bad timing, especially when you consider the levels of fine that have been issued to big companies in the past.

What are the biggest fines for a data breach?

YearCompanyFine
2019British Ariways£183.39 million
2018Equifax£500,000
2018Facebook£500,000
2018Uber£400,000
2018Carphone Warehouse£400,000
2016Talk Talk£400,000
2012Sussex Hospitals NHS Trust£350,000
2018Crown Prosecution Service£325,000
2018Yahoo£250,000
2013Sony£250,000
2012Scottish Borders Council£250,000