British Airways ultimately pays £20 million for 2018 data breach

The British Information Commissioner’s Office (ICO) reduced the penalty for British Airways for the data breach that took place in 2018. Initially, the fine was set at €204,6M (£183.39M) or 1.5% of British Airway’s revenues in 2018.

However, taking into consideration other factors and the recent COVID-19 situation and the effect it had on the airline industry, on 16 October 2020, the fine was ultimately reduced to £20 million or around €22 million.

 

Timeline of British airways cyberattack and GDPR fines

 

British Airways data breach

In September 2018, British Airways suffered a data breach incident that involved user traffic to the British Airways website being diverted to a fraudulent site where personal information of approximately 400,000 customers and BA personnel was harvested by the attackers.

The company had inadequate security mechanisms to prevent such cyber-attacks from happening.

The ICO stated that a “variety of information was compromised by poor security arrangements at the company, including login, payment card, and travel booking details as well name and address information.

The attack was detected only 2 months after it started, in September 2018, due to the serious lack of security measures. The breach affected personal data of customers and employees, which included their names, addresses, login and password information, credit card numbers, and CVV numbers.

5 biggest GDPR fines so far [2020]

2019 notice of intent to fine British Airways

In July 2019, after a thorough investigation, the ICO issued a notice of its intention to fine British Airways €204.6M or £183.39M for violation of Article 5 (1) f) and Article 32 of the General Data Protection Regulation (GDPR).

According to the ICO’s official statement: “An ICO investigation found the airline was processing a significant amount of personal data without adequate security measures in place. This failure broke data protection law and, subsequently, BA was the subject of a cyber-attack during 2018, which it did not detect for more than two months.

In the meantime, the ICO and British Airways engaged in negotiations that allowed the two sides to plead their cases regarding the severity of the penalty, which in the end resulted in reduced fine.

2020 decision to fine British Airways £20m for data breach

On October 16, 2020, the ICO finally issued a decision to set the fine at £20 million. However the reasons behind the reduced fine are not related to the seriousness of the case, rather British Airways respond to the situation, economic impact, and the current situation around the Coronavirus pandemic.

Information Commissioner Elizabeth Denham stated: “People entrusted their personal details to BA and BA failed to take adequate measures to keep those details secure. Their failure to act was unacceptable and affected hundreds of thousands of people, which may have caused some anxiety and distress as a result. That’s why we have issued BA with a £20m fine – our biggest to date.”