ICO issues British Airways with a ground-breaking fine

On October 16, 2020, the Information Commissioner’s Office (“ICO”) fined British Airways Plc (“BA”) £ 20 million for violating its data protection obligations under the General Data Protection Regulation (“ GDPR ”) You were exposed to a cyber attack in 2018. This is the ICO’s largest fine to date, and the amount imposed was a significant reduction from the £ 183.39m that the ICO announced it would fine BA as early as July 2019.

Cyber ​​attack details

The attacker is believed to have accessed the personal data of over 400,000 BA customers and employees worldwide. The information received includes names, addresses, payment card numbers and CVV numbers. although it is believed that only around 100,000 customers have accessed their payment information. The attack went undetected for over two months from June 22 to September 5, 2018.

BA employee account usernames and passwords and usernames and PINs of up to 600 BA Executive Club accounts may also have been accessed.

Failure to prevent the attack

The ICO listed a number of factors in its criminal report that BA could have used to reduce the risk that the attacker could access personal data via the BA network. These include:

  • Restricting access to applications, data and tools to those necessary to fulfill the user role;
  • Carrying out rigorous tests simulating a cyber attack on corporate systems; and
  • Protect employee and third party accounts with multi-factor authentication.

It was found that these additional measures would not have created excessive costs or technical barriers for BA as some of these measures were already available through the Microsoft operating system they were using.

Another factor taken into account by the ICO was that BA did not discover the attack itself on June 22, 2018, but was informed by a third party more than two months later, on September 5, 2018. The ICO considered this a fatal flaw because it is not clear if or when BA would have identified the attack itself. Had it not been for this third party, the financial damage could have been even more widespread.


The fine to be paid by BA is the highest that the ICO has so far imposed for a violation of the GDPR. Although £ 20m seems like a tight escape (compared to the £ 183m originally proposed by the ICO), Article 83 of the GDPR requires the ICO to ensure that a fine is “effective, proportionate and dissuasive”. The ICO took into account the immediate actions taken by BA to mitigate the risk of harm suffered (once the attack became known) as well as the economic impact of COVID-19 on the business, and with all considerations in mind, resulted in a significant reduction (albeit still tearful) good.

Recent articles

Crypto exchanges struggle as El Salvador adopts Bitcoin

Today, Bitcoin is becoming an official currency in El Salvador, and the markets and crypto exchanges seem to be struggling. On...

Schools are back – and time to comply with the ICO’s Age Appropriate Design Code

As of September 2, 2021, the United Kingdom's Information Commissioner's Office ("ICO") expects organizations to use their Age Appropriate Design Code ("AADC"). The...

the ICO wants input on when personal data goes international

You don't have to be a data-focused IT service provider to realize that the UK was lucky enough to receive an adequacy decision from...