• Home
  • Blog
  • UK Regulator Flexes GDPR Muscles With Record £183m fine for British Airways

UK Regulator Flexes GDPR Muscles With Record £183m fine for British Airways

The time to ‘wait and see’ on GDPR is over for UK firms as Information Commissioner’s Office sets the bar with landmark fine for 2018 British Airways data theft. 


The UK’s Information Commissioner’s Office (ICO) has announced that it intends to fine British Airways (BA) £183.39 million (US$230 million) in connection with a huge data breach that took place last year that affected 500,000 customers browsing and booking tickets online.  

The fine – 1.5% of BA’s total revenues for the year that ended December 31, 2018 – is the highest-ever that the ICO has levelled at a company over a data breach. By comparison BA’s fine is 366 times bigger than the ICO's previous recordholder Facebook, who was slapped with a mere £500,000 fine last year for the Cambridge Analytica scandal. And is the first fine made public by the ICO since General Data Protection Regulation (GDPR) privacy laws came into force. 

The ICO’s announcement is part of a new directive to disclose the details of its fines and investigations to the public. Going forward we can expect GDPR breach mitigation to be more transparent. 

The severity of the ICO’s response is expected to be driven in part by the impact of the breach, but also in part by the measures that the organization had taken to prevent it or mitigate its impact. In an investigation, the ICO said that it found “that a variety of information was compromised by poor security arrangements at [BA], including log in, payment card, and travel booking details as well as name and address information.” 

More specifically, the incident involved malware on BA.com that diverted user traffic to a fraudulent site, where customer details were subsequently harvested by the hackers. The ICO appears to have penalised the lack of preventative measures, and possible lack of compliance with PCI DSS (third-party Javascript on the payment page) – but they avoided meting out the maximum fine – perhaps in acknowledgement of the moderate impact. 

British Airways is “surprised and disappointed” about the hefty penalty levelled by the ICO, according to its chairman and chief executive, Alex Cruz. But the surprise lies more in the realization that the GDPR was a major event and that the ICO, whose fining powers were previously limited to £500,000, is now a regulator to be feared and one that is prepared to flex its regulatory muscles. 

Commenting on the landmark ruling Rob Dallison, Associate Vice President, SAI Global, said, “Compliance with GDPR requires significant investment – and many UK companies have preferred to wait and see how the ICO will interpret the regulation, before investing the funds, time and resources required to become fully GDPR compliant.”  

Dallison added: “For those UK firms who have been waiting for a yardstick to measure their exposure to GDPR penalties, the time for ‘wait and see’ is over. They now have some key data points to assess the financial risk attached to a breach of GDPR, and to make their investment decisions accordingly.”  

Organizations like BA can absorb this level of fine, as it is not expected to impact their bottom line too significantly. However, assessing the impact on consumer trust with the airline is going to be harder to know for some time. With consumers becoming even more powerful, as they continue to understand the rights and mechanisms that regulations like the GDPR have made available to strengthen their ability to manage and protect their data, this example will hopefully provide other organizations with a stark reminder of the importance of ensuring person data is secured. 


Learn how SAI Global can help organizations like yours achieve GDPR compliance.