United Kingdom United Kingdom

British Airways

22,046,000 €

GDPR enforcement action by Information Commissioner (ICO) on 2020-10-16.

Rank · Sector
#3
of 169 in Transportation and Energy
Rank · United Kingdom
#1
of 28
Rank · All fines
#28
of 3,059

Case details

Authority
Information Commissioner (ICO)
Date
2020-10-16
Controller / Processor
British Airways
Sector
Transportation and Energy
Quoted Articles
Art. 5 (1) f) GDPR, Art. 32 GDPR
Type of violation
Insufficient technical and organisational measures to ensure information security

Summary

In July 2019, the ICO issued a notice of its intention to fine British Airways £183.39M for GDPR infringements which likely involve a breach of Art. 32 GDPR. The proposed fine relates to a cyber incident notified to the ICO by British Airways in September 2018. This incident in part involved user traffic to the British Airways website being diverted to a fraudulent site. Through this false site, customer details were harvested by the attackers. Personal data of approximately 500,000 customers were compromised in this incident, which is believed to have begun in June 2018. The ICO’s investigation has found that a variety of information was compromised by poor security arrangements at the company, including log in, payment card, and travel booking details as well name and address information.

In the meantime, the final fine imposed on the airline has been set at £20 million (approximately EUR 22,046,000). The ICO emphasized that when setting the amount of the fine, it also took into account the economic impact of the COVID-19 ("Coronavirus") pandemic on the airline industry.

Open original source Links to the regulator's original publication or another source.

Related fines