GDPR: British Airways feels the full force of the ICO with a EUR 200 million fine

Last September, British Airways suffered a data breach that affected over 500,000 of its customers. This breach resulted in the largest fine to date under the GDPR, which was issued by the UK Data Protection Authority, the ICO.

The facts

The personal data of the British Airways customers was stolen through a “phishing operation” where hackers pretend to be a trusted third party, such as British Airways, in an attempt to get data subjects to hand over their personal data unaware of the recipients true identity.

In the present case, hackers created a fake British Airways website that was almost indistinguishable to the official one. Data subjects therefore gave up usernames, passwords, credit card information, passport information, etc. 

The ICO’s Response

Following this breach, British Airways notified the ICO, the UK’s supervising authority mandated to enforce the GDPR.

Following their investigation, the ICO has just filed its notice of intention to order British Airways to pay a EUR 204 million (or £183 million) fine for failing to respect its obligations under the GDPR, namely in respect of failures by the airline to ensure the security and confidentiality of personal data of its customers.

To date, this fine sets a new record for the highest fine issued under the GDPR. However, although the law only came into force in May 2018, its first 12 months were viewed as a transitional period of sorts.

Now that national authorities such as the ICO in the UK or the CNIL in France have the green light to issue heavier fines under the GDPR, this high penalty issued to British Airways is surely just the beginning of a crack-down in enforcement by the supervisory authorities across Europe, after a fairly placid first year post-GDPR. Indeed, following on from this British Airways case, the ICO has already issued a notice of intention to fine Marriott International more than EUR 110 million (or £99 million) for a GDPR data breach caused by a cyber incident.

 In Summary

In the words of Elizabeth Denham, the ICO’s Information Commissioner:

            Accountability is at the centre of all this: of getting it right today, getting it right in May 2018, and getting it right beyond that. 

If you have any questions concerning data breaches or the GDPR in general, please do not hesitate to contact us!

Article by Justin Boileau, Legal consultant @ Gerrish Legal, July 2019.