British Airways Is Facing a Record Breaking £183 Million Fine Over 2018 Data Breach


The British Information Commissioner’s Office (ICO) has come down hard on British Airways and imposed a £183 Million fine over the 2018 data breach that saw half a million customers data compromised.

This is the highest fine ever imposed on a company ever since the GDPR regulations and British Airways has 28 days to appeal the fine with the ICO.

Even though the amount of the fine is high, the IOC could have gone much higher, as the maximum amount of penalty they are allowed to impose is equal to 4% of global annual turnover which would have been closer to £500 Million.

BBC (access here) was the first to break the news this morning.

British Airways is facing a record fine of £183m for last year’s breach of its security systems.

The airline, owned by IAG, says it was “surprised and disappointed” by the penalty from the Information Commissioner’s Office (ICO). At the time, BA said hackers had carried out a “sophisticated, malicious criminal attack” on its website.

The ICO said it was the biggest penalty it had ever handed out and the first to be made public under new rules. …

The penalty imposed on BA is the first one to be made public since those rules were introduced, which make it mandatory to report data security breaches to the information commissioner.

It also increased the maximum penalty to 4% of turnover. The BA penalty amounts to 1.5% of its worldwide turnover in 2017, less than the possible maximum. …

The ICO said the incident took place after users of British Airways’ website were diverted to a fraudulent site. Through this false site, details of around 500,000 customers were harvested by the attackers, the ICO said. …

The ICO said the incident was believed to have begun in June 2018.

The watchdog said a variety of information was “compromised” by poor security arrangements at the company, including log in, payment card, and travel booking details as well name and address information.

BA initially said information included names, email addresses, credit card information such as credit card numbers, expiration dates and the three-digit CVV code found on the back of credit cards, although BA has said it did not store CVV numbers.

British Airways has been quite dishonest when it came to the announcement and subsequent handling of the breach.

They downplayed the type of data compromised at first including the amount of data sets/customers involved. Then even though they said the company would compensate customers for damages arising from it, BA has acknowledged no financial damages to any customer even if presented with a clear case of credit card fraud resulting from this (customers had a brand new card and had only used it with BA before).

We have covered this incident many times over the past year here on LoyaltyLobby:


Quite a few readers have contacted us since this happened and many of those affected (including John) have also joined the Class Action Lawsuit by SPG Law as mentioned above. The proceedings are currently underway and there should be a resolution sometime later this year unless they can’t come to a settlement and British Airways really wants this to go to court.

Considering that the IOC stayed at the lower end of the fine spectrum maybe BA shouldn’t appeal the decision. They could (and probably should) have been hit much harder. Hopefully this will be a lesson to them.