BA Faces "Largest" GDPR Breach Fine

British Airways (BA) looks set to face the largest GDPR penalty by the Information Commissioner’s Office (ICO) of £183m for last year’s data breach that put 500,000 customers’ details at risk.

In 2018, the airline’s website was diverted to a fraudulent site, where customers’ details were then able to be harvested by hackers. The ICO ruled that BA had been negligent in its protection of customers’ personal data, as the law surrounding GDPR, and the protection of such data, was quite clear.

Originally, BA reported the incident had jeopardised approximately 380,000 transactions. However, the stolen data did not include travel or passport details – so the ICO believe the false site actually harvested the details of around 500,000 customers. These details included names, emails and credit card details such as expiry dates and CVV codes.

The new GDPR rules came in to force last year and until now, the biggest penalty was imposed on Facebook amounting to £500,000 for its part in the Cambridge Analytica data scandal. However, with the maximum penalty having been increased under the GDPR and since the ICO considered the breach so significant, they applied the percentage of turnover calculation in determining the penalty due – i.e 1.5% of BA’s turnover in 2017.

Whilst that is a staggeringly high amount, the ICO can actually fine organisations up to 4% of turnover. It just goes to show that they mean business, and that there are severe consequences for those who do not abide by the law.

If you would like some further guidance surrounding GDPR compliance at your organisation, or you have been accused of a data breach and you would like some legal advice, contact Downs Solicitors to see how we can help.

Richard Clapham

Richard Clapham


Tel: +44 (0) 1483 411531

Office: Godalming Office

Email: [email protected]