Information Commissioner's Office
ICO statement: Intention to fine British Airways £183.39m under GDPR for data breach
Following an extensive investigation the ICO has issued a notice of its intention to fine British Airways £183.39M for infringements of the General Data Protection Regulation (GDPR).
The proposed fine relates to a cyber incident notified to the ICO by British Airways in September 2018. This incident in part involved user traffic to the British Airways website being diverted to a fraudulent site. Through this false site, customer details were harvested by the attackers. Personal data of approximately 500,000 customers were compromised in this incident, which is believed to have begun in June 2018.
The ICO’s investigation has found that a variety of information was compromised by poor security arrangements at the company, including log in, payment card, and travel booking details as well name and address information.
Information Commissioner Elizabeth Denham said:
“People’s personal data is just that – personal. When an organisation fails to protect it from loss, damage or theft it is more than an inconvenience. That’s why the law is clear – when you are entrusted with personal data you must look after it. Those that don’t will face scrutiny from my office to check they have taken appropriate steps to protect fundamental privacy rights.”
British Airways has cooperated with the ICO investigation and has made improvements to its security arrangements since these events came to light. The company will now have opportunity to make representations to the ICO as to the proposed findings and sanction.
ICO has been investigating this case as lead supervisory authority on behalf of other EU Member State data protection authorities. It has also liaised with other regulators. Under the GDPR ‘one stop shop’ provisions the data protection authorities in the EU whose residents have been affected will also have the chance to comment on the ICO’s findings.
The ICO will consider carefully the representations made by the company and the other concerned data protection authorities before it takes its final decision.
Latest News from
Information Commissioner's Office
Former motor industry worker ordered to pay £25,500 from proceeds of data theft18/07/2019 11:32:00
A motor industry employee who was sentenced to six months in prison in November 2018 for accessing personal data without permission, has been ordered to pay a £25,500 confiscation order in a case brought by the Information Commissioner’s Office (ICO).
Speech: The future of online advertising regulation12/07/2019 13:47:00
Simon McDougall, Executive Director for Technology Policy and Innovation’s speech at the Westminster Media Forum Keynote Seminar: The future of online advertising regulation.
Statement: Intention to fine Marriott International, Inc more than £99 million under GDPR for data breach10/07/2019 12:20:00
Statement given yesterday in response to Marriott International, Inc’s filing with the US Securities and Exchange Commission that the Information Commissioner's Office (ICO) intends to fine it for breaches of data protection law.
Blog: Live facial recognition technology - data protection law applies10/07/2019 09:10:00
Blog posted by: Elizabeth Denham, Information Commissioner, 09 July 2019.
ICO publishes annual report covering an ‘unprecedented’ year09/07/2019 15:51:00
The public has woken up to the potential of their personal data, the Information Commissioner has said as the ICO’s annual report for 2018-19 was published today. Elizabeth Denham also said it covered an ‘unprecedented’ year for the regulator.
Blog: Cookies – what does ‘good’ look like?04/07/2019 12:25:00
Blog posted by: Ali Shah, Head of Technology Policy, 03 July 2019.
Former company director believed to have profited by more than £1.4 million after selling personal data illegally01/07/2019 12:25:00
A former company director found guilty of illegally obtaining people’s personal data and selling it to solicitors chasing personal injury claims, has been fined for breaches of data protection and issued with a confiscation order under the Proceeds of Crime Act 2002.
ICO searches Liverpool addresses as part of investigation into suspected illegal acquisition and sale of personal data28/06/2019 15:20:00
The Information Commissioner’s Office (ICO) yesterday (27 June) searched two addresses in Liverpool, as part of an ongoing investigation into the acquisition and sale of illegally obtained personal data.