British Airways – ICO’s biggest fine yet


The expected fine for British Airways has now been confirmed, albeit much lower than originally envisaged.

On July 8, 2019, the Information Commissioner’s Office (ICO) announced its intention to fine British Airways £ 183.39 million (1.5% of BA’s global sales) for breach of personal information under the General Data Protection Regulation by nearly 500,000 people. However, a combination of attenuating factors and the impact of the pandemic led the ICO to review the size of the fine and concluded that it would “only” impose a £ 20 million fine.

The GDPR sets two fines. For less serious violations, organizations can be fined up to EUR 10 million or 2% of their total worldwide sales for the previous financial year, whichever is greater. The more serious violations could result in a fine of up to EUR 20 million or 4% of total worldwide sales for the previous fiscal year, whichever is greater.

What happened?

In September 2018, BA apologized for a breach of the company’s security systems that resulted in a cyber attack and the disclosure of personal information of nearly 500,000 people. Specifically:

  • Name, address, card number and CVV number were given to 244,000 people.
  • 77,000 people had only given their card number and CVV;
  • 108,000 people only disclosed their card number;
  • Approximately 612 BA Executive Club account usernames and PIN numbers were disclosed. and
  • Usernames and passwords of BA employees and administrator accounts have been announced.

The breach was caused by the attacker gaining access to an internal BA application and the wider network by exploiting a JavaScript file on the BA website. This resulted in data being transferred from the BA website ( to an external domain ( The copying and rerouting of payment card data took place between August 21 and September 5, 2018 without interrupting the usual BA booking and payment process.

In its investigation, the ICO came to the conclusion that the BA has not complied with its GDPR obligations under Article 5 (1) (f) of the principle of integrity and confidentiality and Article 32 of processing security. It found that BA processed a “significant amount of personal data without adequate security measures”. Failure to fix its vulnerabilities and detect the cyberattack for more than two months was also criticized. Questions were raised as to whether BA would have discovered the breach itself, as they had been informed of the problem by a third party.

Mitigating circumstances

The ICO has taken the mitigating factors into account in its assessment of the reasonable fine. In particular, it was of the opinion that BA has taken immediate steps to minimize the harm to the persons concerned and has taken corrective action. BA also worked with the ICO and other enforcement agencies and promptly notified the individuals concerned. The ICO believed that the media attention this violation received would likely raise awareness of the risks of cyber incidents in other organizations and mobilize them to take preventive action. In addition, the cyber attack and regulatory measures are likely to affect BA’s brand and reputation. The mitigating factors also include the ability to pay the fine, that is, financial difficulties.

After examining the statements submitted by BA, the ICO decided to reduce the fine to £ 30 million. After taking into account the attenuating factors, it was decided to reduce it by 20% and reduce the fine to £ 24 million.

The effects of the pandemic

The aviation industry is one of the sectors hardest hit by the ongoing COVID-19 pandemic. With passenger demand down 98%, the global aviation industry is believed to have lost around $ 84.5 billion in 2020 to the virus. IAG, owned by British Airways, posted a loss of £ 3.8 billion.

The ICO, in its assessment of the fine, took into account the impact of the pandemic on the BA and decided to reduce it by £ 4m and to impose the fine of £ 20m.

Points to note

In its original announcement of the intention to impose a fine on BA, the ICO provisionally found, in addition to Article 5 (1) (f) and 32, that BA violated Article 25 of the GDPR, data protection through design and standard. According to BA’s presentation, in which BA alleged that the ICO had misapplied Article 25 as it was not in force (or should not be considered reliable as in this context only the Obligations from the ICO are repeated Article 32) the ICO decided to determine violations only in relation to Articles 5 and 32. The ICO contradicted BA’s interpretation of Article 25, which applies both at the time of processing itself and at the time the system is designed. This means that it is critically important that organizations monitor their processing and ensure that legacy systems have been adequately assessed, taking into account the requirements of Article 25.

It is also important to ensure that technical and organizational measures are taken in accordance with the requirements of the GDPR. The fines are likely to be higher if an investigation reveals that an organization has not taken appropriate steps to prevent unauthorized access to personal information. The lessons that can be drawn from the BA’s violation are that organizations:

  • Make sure that application access is controlled and only granted to those who need it to do their job
  • Monitor the domain administrator accounts as an essential element of system security (the attackers could gain access to the administrator account, giving them further network access).
  • Protect credentials with multi-factor authentication (e.g. a combination of a password and a code sent to a mobile device).
  • Do not collect or store data unless necessary (BA has collected and stored Credit Card Security Numbers (CVV) in an unencrypted format for 95 days due to human error).
  • Make sure employees receive regular training on data protection and information security
  • Before introducing any new application or website, conduct a privacy impact assessment
  • have effective oversight of IT governance; Use appropriate standards and tools, and regularly perform security updates and vulnerability tests that should extend to third-party applications

One thing is certain: the implementation and maintenance of a suitable IT infrastructure as well as suitable technical and organizational measures are an investment. However, given significant fines, it’s an investment that is likely to protect businesses and minimize the risk of much more expensive fines.