• news-banner

    Expert Insights

ICO issues British Airways with a ground-breaking fine

On 16 October 2020, The Information Commissioner’s Office (the “ICO”) imposed a monetary penalty notice fining British Airways Plc (“BA”) £20million for breaching its data security obligations under the General Data Protection Regulation (the “GDPR”) when they faced a cyber-attack in 2018. This is the ICO’s largest fine to date and the amount imposed was a significant reduction on the £183.39 million the ICO announced that it intended to fine BA back in July 2019.

Details of the cyber attack

The attacker is believed to have accessed the personal data of over 400,000 BA customers and staff members worldwide. Information obtained includes names, addresses, payment card numbers and CVV numbers; although it is thought only around 100,000 customers had their payment information accessed. The attack went undetected for over 2 months spanning from 22 June to 5 September 2018.

Usernames and passwords of BA employee accounts, as well as usernames and PINs of up to 600 BA Executive Club accounts, were also potentially accessed.

Failure to prevent the attack

The ICO listed a number of factors in its penalty notice report that BA could have used to mitigate the risk of the attacker being able to access personal data through the BA network. These include:

  • limiting access to applications, data and tools to only those which are required to fulfil a user’s role;
  • undertaking rigorous testing, in the form of simulating a cyber-attack, on the business’ systems; and
  • protecting employee and third party accounts with multi-factor authentication.

It was noted that these additional measures would not have entailed excessive costs or technical barriers to BA, with some of these measures already available through the Microsoft Operating System that they used.

Another consequential factor taken into account by the ICO was that on 22 June 2018 BA did not detect the attack themselves but were informed by a third party more than two months after, on 5 September 2018. The ICO considered this to be a severe failing because it is not clear whether or when BA would have identified the attack themselves. Had it not been for this third party the financial harm could have been even more widespread.

Significance

The fine payable by BA is the largest imposed to date by the ICO for a breach of the GDPR. Although £20million appears to be a narrow escape (compared to the £183million originally suggested by the ICO), Article 83 of the GDPR does require the ICO to ensure any fine imposed is "effective, proportionate and dissuasive". The ICO considered BA’s prompt action that was taken to mitigate the risk of harm suffered (once aware of the attack), as well as the economic impact of COVID-19 on the business – and with all considerations taken into account, imposed a greatly reduced (albeit still eye-watering) fine.

Our thinking

  • IBA Annual Conference 2025

    Simon Ridpath

    Events

  • Alumni Drinks Reception

    Events

  • London International Disputes Week: Trusts hurt: the fraud lawyer, the trust, and the avenues of attack (and defence)

    Tamasin Perkins

    Events

  • London International Disputes Week: Navigating International M&A Disputes: Insights and Strategies for 2025

    Stephen Burns

    Events

  • Government publishes consultation on Regulations about how rent is calculated under the Landlord and Tenant Act 1954 for agreements with Code operators

    Georgina Muskett

    Quick Reads

  • ESG Duties for Directors: Legal Obligations and Risks Under English Company Law

    Katie Bewick

    Insights

  • Unlocking Opportunities: Introduction of the Re-domiciliation Regime in Hong Kong

    Shirley Fu

    Insights

  • Conclusive truth or abusive sleuth - can covert recordings be used in family law proceedings?

    Charlotte Posnansky

    Insights

  • Law Commission publish their recommendations for reform on Wills

    Charis Thornton

    Quick Reads

  • What does the UK Immigration White Paper mean for businesses, families and entrepreneurs?

    Paul McCarthy

    Insights

  • BBC News quotes Emma Preece on a Supreme Court decision around whether people can camp in certain areas of Dartmoor without permission from landowners

    Emma Preece

    In the Press

  • From Tradition to Transaction - The Rise of Private Equity in Family Businesses in the Middle East

    Ahmad Anani

    Insights

  • The UK’s immigration white paper – what does it mean for British Nationals (Overseas)?

    Owen Chan

    Quick Reads

  • Directors’ Disqualification Under the Company Directors Disqualification Act 1986: What UK Directors Need to Know

    Claudine Morgan

    Insights

  • The Financial Times quotes Catrin Harrison on IHT Budget changes and the impact on wealthy UK expats

    Catrin Harrison

    In the Press

  • Property Patter: Applications to discharge or modify restrictions

    Emma Humphreys

    Podcasts

  • Should access be given between exchange and completion?

    Twiggy Ho

    Insights

  • What next for the hydrogen sector?

    Rachael Davidson

    Quick Reads

  • UK Cybersecurity and Resilience Policy Statement April 2025 - Impacts for Managed Services Providers and Data Centres

    Mark Bailey

    Insights

  • Covenant modified by Tribunal to allow office redevelopment in accordance with planning permission

    Georgina Muskett

    Insights

Back to top