The UK Information Commissioner’s Office announced on July 8, 2019 that it intends to fine British Airways £183,390,000 ($230 million) for infringements of the General Data Protection Regulation (GDPR). This would be the largest penalty levied against a company under GDPR by any regulator.
The proposed penalty stems from a breach of British Airways’ website in which the personal data of approximately 500,000 customers was compromised. The breach was disclosed by British Airways in September 2018, with follow up disclosures in October 2018. Following an extensive investigation, the ICO found that poor security arrangements at British Airways enabled the data breach and justified the proposed penalty. The regulator noted that BA has cooperated with the ICO investigation, has taken measures to improve security, and will have the opportunity to make representations to the ICO regarding the proposed findings and sanction.
For its part, International Airlines Group, which owns British Airways, told investors that it intends to push back against the penalty. IAG noted that the proposed penalty is equal to 1.5 percent of the airline’s worldwide turnover for financial year 2017 (less than the 4 percent ceiling for such penalties imposed by GDPR), and that the airline had found no evidence of fraudulent activity on accounts linked to the data breach.