British Airways Receives Largest Ever Fine For Infringement of GDPR
Posted on 01 Jul 2019
The Information Commissioner’s Office (ICO) has issued a statement of its intention to fine British Airways (BA) a record £183.39m for infringing the General Data Protection Regulation (GDPR) in June 2018.
This is the first intention of a fine to be issued by the ICO under the GDPR, and the proposed fine would be the largest fine ever imposed by the ICO.
The fine relates to a cyber-security incident that took place via the BA website. Users of the BA website were diverted to a fraudulent site as a result of a hacking attack. Around 500,000 customers had their details compromised – including log in information, payment information and travel booking details. BA notified the ICO of the incident in September 2018. The ICO has since investigated the matter and found that the personal data breach occurred as a result of BA’s poor security arrangements. The ICO has now proposed a fine of £183.39m, representing 1.5% of BA’s worldwide turnover in 2017 (against the possible maximum fine of 4% of turnover). The ICO will be considering the representations made by BA and the other concerned data protection authorities before it takes its final position.
This incident serves as a reminder to all organisations of the importance of take the necessary steps to protect personal data against loss, damage or theft.
Although organisations cannot always defend themselves against malicious hacking attacks, it is important to be able to demonstrate that appropriate steps have been taken to protect personal data and that data breaches are handled appropriately, to mitigate the amount of the potential penalty following any ICO investigation.
If you would like to discuss further or enquire about advice on how to prevent, protect against, and mitigate personal data breaches, please call one of Swayne Johnson Solicitors’ specialist Data Protection Team:
Claire Sumner
01745 818297, 07715 521804 or 01829 707884
Juana Eastwood
01745 586833
Further News - GDPR Breach From Marriott International Sees Further Fines »