ICO issues £183 million GDPR fine to British Airways

British Airways has been fined more than £183m by the Information Commissioner’s Office after hackers stole the personal data of half a million of the airline’s customers.

The ICO said its investigation found that the incident involved customer details including login, payment card, name, address and travel booking information being harvested after being diverted to a fraudulent website.

The ICO said that data breach, which began in June 2018, occurred because British Airways had “poor security arrangements” in place to protect customer information being accessed.

The £183.4m fine, the first the ICO has proposed under the new General Data Protection Regulation (GDPR), amounts to about 1.5% of British Airways’ £11.6bn worldwide turnover last year.

“People’s personal data is just that – personal,” said the information commissioner, Elizabeth Denham. “When an organisation fails to protect it from loss, damage or theft it is more than an inconvenience. The law is clear, when you are entrusted with personal data you must look after it. Those that don’t will face scrutiny from my office to check they have taken appropriate steps to protect fundamental privacy rights.”

As we pointed out in our May blog post GDPR one year on, the ICO were expected to start making an example out of organisations that do not take the protection of personal data seriously, so if your organisation is not yet GDPR compliant and you have been thinking that GDPR will just fade away, you should get in touch to see how we can help you. GDPR compliance is not neccesarily difficult or expensive, especially if you already have good business practices.

So take advantage of a free initial telephone consultation with one of our ISO qualified GDPR advisors to find out how we can do all the hard work for you. Just give us a call on 01293 446677 or fill in the enquiry form below.