Expensive Breach of Data Protection Laws – ICO’s fine of BA

The Information Commissioner’s Office (ICO) has fined British Airways (BA) £20milllion after the airline failed to adequately protect over 400,000 of its customers’ personal and financial details following a cyber-attack in 22 June 2018. The data
breach went unnoticed for more than two months until BA were notified by a third party on the 5 September 2018.

Despite the fine being initially set at £183million, the ICO concluded that:

  1. BA did not gain any financial benefit, or avoid any losses, as a result of the breach;
  2. The data breach was serious in terms of nature and duration;
  3. Although the infringement was not intentional, BA was responsible for the infringements found by ICO investigators;
  4. BA fully cooperated with the investigation and the ICO Commissioner had taken into consideration when calculating an appropriate fine;
  5. Despite personal data being disseminated, no “special category” data such as racial origin, political opinions and religious beliefs and so forth was not affected; and
  6. BA acted promptly when notifying the ICO.

For these reasons, the ICO saw fit to reduce the fine to £20m.

To review ICO’s penalty notice, click on the link below:
https://ico.org.uk/media/action-weve-taken/mpns/2618421/ba-penalty-20201016.pdf

For further information, please email simon.halberstam@smab.co.uk