GDPR Breach Costs British Airways

£183m fine

The Information Commissioner’s Office (UK) has imposed a fine of £183m on British Airways (owned by Parent Company IAG) for a breach of its Security Systems last year which BA blamed on hackers who they said carried out a “sophisticated, malicious criminal attach” on its website.

This is the largest fine imposed by the Information Commissioner’s Office and the first penalty it has made public under new rules. The fine represents 1.5% of the worldwide turnover of BA in 2017. The maximum possible fine is 4% of the Company’s worldwide turnover.

BA said it was “surprised and disappointed” by the fine. The Company has 28 days in which to appeal against this fine.

The Company said approximately 380,000 transactions were affected but the stolen data did not include travel or passport details. However the information stolen did include names, email addresses, credit card information such as credit card numbers, expiration dates and the 3-digit CVV code found on the back of credit cards. However BA said that it did not store CVV numbers. The breach of Security had been reported by BA to the Information Commissioner’s Office on 6th September 2018.

If you require any further detail or advice, please contact John Reid in O’Rourke Reid
Dial: +353 1 240 1200

This document is for information purposes only and does not purport to represent legal advice.  
© O’Rourke Reid 2019