ICO intends £183m GDPR fine for British Airways
ICO has issued a notice of its intention to fine British Airways £183.39m for infringements of the General Data Protection Regulation (GDPR). This is a massive fine and one of the first which can be up to €20 million or 4% of annual global turnover. With British Airways turnover, it could have been worse – a GDPR fine of around £500 million could have been issued.
The proposed GDPR fine relates to a cyber incident notified to the ICO by British Airways in September 2018. This incident in part involved user traffic to the British Airways website being diverted to a fraudulent site. Through this false site, customer details were harvested by the attackers. Personal data of approximately 500,000 customers were compromised in this incident, which is believed to have begun in June 2018.
“People’s personal data is just that – personal. When an organisation fails to protect it from loss, damage or theft it is more than an inconvenience. That’s why the law is clear – when you are entrusted with personal data you must look after it. Those that don’t will face scrutiny from my office to check they have taken appropriate steps to protect fundamental privacy rights.”
– Elizabeth Denham, Information Commissioner
British Airways has cooperated with the ICO investigation and has made improvements to its security arrangements since these events came to light. The company will now have opportunity to make representations to the ICO as to the proposed findings and sanction.
A GDPR fine does not go to the ICO, fines recovered go to the Treasury’s Consolidated Fund.