British Airways faces £183m fine

British Airways faces £183m fine

The ICO has issued one of its first “blockbuster” fines under GDPR for a data breach – British Airways has been fined a record £183 million after its website was hacked and the personal data of 500,000 customers was harvested.

The breach was caused by “poor security arrangements” allowing customer information to be accessed. The hackers were able to obtain names, email addresses and credit card information, including CVC numbers.

This fine is the largest penalty in the UK and one of the most significant since GDPR came in last year. Prior to this the largest penalty was £500,000 imposed on Facebook for its role in the Cambridge Analytica data scandal.

The ICO is clearly flexing its muscles and using its new enforcement powers under GDPR that allow issue fines of up to 4% of annual turnover for the most serious breaches. The BA penalty amounts to 1.5% of its worldwide turnover 2017, so it escaped a maximum award. The pain for BA is likely to continue if the affected customers bring compensation claims or clog up it systems with complaints and subject access requests. Its reputation and share price are also likely to be affected.  

This fine is a reminder that organisations should not be complacent. The ICO made it very clear from the outset that security of data must be a key priority and whilst the ICO allowed some time for businesses to adjust, it is now clear that the bedding in time is over.

Organisations need to consider whether they are confident that they can demonstrate compliance and accountability should they ever need to report a breach. Cybercrime is now the biggest form of crime with organisations being targeted on a daily business.

Are you confident that your business is up to speed on GDPR and data protection and can withstand a data breach?

How Blaser Mills Law can help?

We provide businesses with varying levels of GDPR support to suit their needs. We can help with initial audits through to notices, policies, procedures, subject access requests, breach reporting, transfer and processing agreements and ongoing, large-scale project work.

Additionally, we advise businesses on regulation and compliance and can act quickly if you have a data breach and face enforcement action and claims from data subjects.

Our services include:

  • Data Protection Officer
  • Data Compliance
  • Data Breach reporting
  • EU representation
  • UK representation

For more information on our services, click here.

Should you wish to discuss your GDPR requirements, please contact James Simpson on 01494 478689 or at