• news-banner

    Expert Insights

ICO issues British Airways with a ground-breaking fine

On 16 October 2020, The Information Commissioner’s Office (the “ICO”) imposed a monetary penalty notice fining British Airways Plc (“BA”) £20million for breaching its data security obligations under the General Data Protection Regulation (the “GDPR”) when they faced a cyber-attack in 2018. This is the ICO’s largest fine to date and the amount imposed was a significant reduction on the £183.39 million the ICO announced that it intended to fine BA back in July 2019.

Details of the cyber attack

The attacker is believed to have accessed the personal data of over 400,000 BA customers and staff members worldwide. Information obtained includes names, addresses, payment card numbers and CVV numbers; although it is thought only around 100,000 customers had their payment information accessed. The attack went undetected for over 2 months spanning from 22 June to 5 September 2018.

Usernames and passwords of BA employee accounts, as well as usernames and PINs of up to 600 BA Executive Club accounts, were also potentially accessed.

Failure to prevent the attack

The ICO listed a number of factors in its penalty notice report that BA could have used to mitigate the risk of the attacker being able to access personal data through the BA network. These include:

  • limiting access to applications, data and tools to only those which are required to fulfil a user’s role;
  • undertaking rigorous testing, in the form of simulating a cyber-attack, on the business’ systems; and
  • protecting employee and third party accounts with multi-factor authentication.

It was noted that these additional measures would not have entailed excessive costs or technical barriers to BA, with some of these measures already available through the Microsoft Operating System that they used.

Another consequential factor taken into account by the ICO was that on 22 June 2018 BA did not detect the attack themselves but were informed by a third party more than two months after, on 5 September 2018. The ICO considered this to be a severe failing because it is not clear whether or when BA would have identified the attack themselves. Had it not been for this third party the financial harm could have been even more widespread.


The fine payable by BA is the largest imposed to date by the ICO for a breach of the GDPR. Although £20million appears to be a narrow escape (compared to the £183million originally suggested by the ICO), Article 83 of the GDPR does require the ICO to ensure any fine imposed is "effective, proportionate and dissuasive". The ICO considered BA’s prompt action that was taken to mitigate the risk of harm suffered (once aware of the attack), as well as the economic impact of COVID-19 on the business – and with all considerations taken into account, imposed a greatly reduced (albeit still eye-watering) fine.

Our thinking

  • IBA Annual Conference 2024

    Charlotte Ford


  • Tortious liability: Supreme Court brings relief for directors

    Olivia Gray


  • Stephen Burns and Katie Bewick write for New Law Journal on shareholders’ rights after Zedra

    Stephen Burns

    In the Press

  • Rhys Novak writes for Solicitors Journal on what legal advisors need to know about dawn raids

    Rhys Novak

    In the Press

  • Employment Law & Worker Rights - The Conservative Party’s Manifesto

    Nick Hurley


  • "Has anyone seen my cat?" - Pet-Nups and Pet Disputes between Unmarried Couples

    Jessie Davies

    Quick Reads

  • Employment Law & Worker Rights - The Liberal Democrats Manifesto

    Nick Hurley


  • The Africa Debate: Africa’s role in a changing global order

    Matthew Hobbs

    Quick Reads

  • Charles Russell Speechlys advises Foodles on the strategic acquisition of caterer Le Val d'Evre

    Renaud Ferry


  • Re UKCloud: The importance of exercising control over a fixed charge asset

    Cara Whiffin


  • Bloomberg quotes Dominic Lawrance on pledges to scrap preferential tax treatment for non-doms

    Dominic Lawrance

    In the Press

  • Consumer Duty Board Report

    Richard Ellis


  • Standard of repair put to the test - Estates Gazette Q&A

    Emma Humphreys


  • A Closer Look at the Current State of Artificial Intelligence Regulation in the Gulf

    Mark Hill

    Quick Reads

  • LIDW: Is arbitration an effective process for disputes involving state interests: a panel discussion of concerns raised in Nigeria v. P&IDL [2023] EWHC 2638

    Richard Kiddell


  • Is the horizon level? Current updates and predictions for Competition Law in the UAE

    William Reichert


  • Injunctions against potential protesters - Estates Gazette Q&A

    Samuel Lear


  • Michael Powner, Isobel Goodman and Hauwa Ottun write for Law 360 on the Tips Act

    Michael Powner

    In the Press

  • LIDW: An Era of Constant Change – an event to explore the General Counsel’s role in delivering sustainable growth whilst managing global ESG risks

    Caroline Greenwell


  • Emily Chalkley writes for The Times on how best to use employee influencers

    Emily Chalkley

    In the Press

Back to top