British Airways facing record £183 million fine over data hack of customer information

The Information Commissioners Office (ICO), the UK’s data protection watchdog responsible for upholding the public’s information rights, has today issued a Notice of Intention to fine British Airways £183.39 Million for a breach of the General Data Protection Regulation (GDPR) in relation to the serious data hack the airline suffered in 2018.

As a result of its investigations, the ICO has confirmed that the personal data of approximately 500,000 customers was compromised and that the data breach began in June 2018, some three months before customers were informed. 

This confirms a more extensive data breach than initially reported by British Airways in September 2018 when it said that only customers making bookings between 21st August 2018 and 5th September 2018 were affected and this related to around 380,000 card payments.

British Airways has previously confirmed that the hacked information included customers’ names, email addresses and credit card details, including the credit card number, expiration date and the three digit [CVV] code on the back of the credit card.

In November 2018, there were reports that affected customers’ personal information was being sold by Russian hackers on the dark web.

The ICO has found the customer information was compromised by poor security arrangements and that the hack included diverting user traffic from the British Airways website to a fraudulent site, where customer details were harvested by hackers.

British Airways now has an opportunity to respond to the ICO’s findings, including the level of the proposed fine.

Sean Humber, a leading data protection lawyer at Leigh Day who acts for victims of cybercrime said:

“The ICO’s Notice of Intent is significant development. It confirms that, following its extensive investigation, the ICO believes that British Airways broke the law in failing to take adequate security measures to protect its customers’ information. It also suggests that the breach was more extensive than initially stated, with approximately 500,000 customers affected by a data breach that began in June 2018. 

“The level of the proposed fine is also significant. It will be the first fine for a substantial data breach levied in the UK under the new data protection regime provided by the General Data Protection Regulation (GDPR). The GDPR allows fines of 20 Million Euros or 4% of annual global turnover, whichever is greater. Previously the maximum fine under the Data Protection Act 1998 was £500,000. Given that British Airways turnover was £13 Billion in 2018, a fine of £183 Million would represent about 1.5% of its turnover.  

“Given the scale of data breach, the sensitivity of the personal data hacked and the level of distress and inconvenience caused to its customers, British Airways may well consider itself fortunate that the ICO currently only intends to fine it £183 Million when it could be fined more than double this amount under the GDPR.”

"Completely separate from any fine levied by the ICO, customers affected by the data breach are likely to be entitled to compensation for the distress and inconvenience caused by the loss of their information, even if they have not suffered any direct financial loss."