` ICO Announces Record GDPR Fine Against British Airways of $230 Million - Clarip Privacy Blog
ENTERPRISE    |    CONSUMER PRIVACY TIPS    |    DATA BREACHES & ALERTS    |    WHITEPAPERS

ICO Announces Record GDPR Fine Against British Airways of $230 Million

The UK Information Commissioner’s Officer has announced a record GDPR fine of $230 million (USD) against British Airways. The preliminary announcement related to a data breach last year that leaked the personal information of around 500,000 users. The ICO investigation found that information was compromised by “poor security arrangements”.

Blog-UK-ICO-Fines-BA

When the data breach became public last year, several commentators publicly called the incident one of the first big tests of GDPR. It looks like they were right.

The incident involved the diversion of British Airways website traffic by malware to a fraudulent website that collected personal detail on approximately 500,000 customers beginning in June 2018. The compromised information included names, addresses, log in details, payment cards, and other travel booking details. British Airways notified the ICO of the cyber incident in September 2018. British Airways cooperated with the ICO investigation and improved its security arrangements after the incident, according to the ICO.

The announcement from the ICO is a notice of intention to fine British Airways. The company and the data protection authorities from the other countries will have a chance to weigh in before the ICO makes a final ruling. ICO is the lead supervisory authority for British Airways under the GDPR’s one-stop shop provisions.

The record GDPR fine is 1.5% of the total revenue of British Airways for the year ending December 31, 2017. The GDPR permits data protection authorities to fine companies a maximum of up to 4% of annual global turnover. Before this announcement, the largest fine levied under the European Union General Data Protection Regulation, which went into effect on May 25, 2018, was a fine of $57 million by France’s data protection regulator (CNIL) against Google for practices involving Android.

The potential British Airways fine is based on the cybersecurity protections found in GDPR. GDPR Article 32 requires organizations to implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk. Article 33 requires organizations to notify the supervisory authority within 72 hours of discovering a breach. Based on the announcement, it appears only that Article 32 is implicated by the breach here. The publicly available information does not mention a failure to report the data breach within the 72 hour window.

British Airways was also last year criticized by members of the public and media for its data privacy practices on Twitter. Representatives of the company operating on social media were asking for its customers to post sensitive information publicly to assist them with resolving their customer service issues. In the tweets, they implied that this information was required by GDPR. The preliminary announcement did not mention these issues, but the

European Union Data Protection Authorities (DPAs) have been criticized in the media over the past year for not levying any major fines against tech companies and others in the months following GDPR. However, it seems like this could be changing. There are currently over 50 large scale investigations by the Irish DPA and their lead regulator has publicly indicated that there would be announcements about the outcome of some of these investigations this summer.

The pixel
Show Buttons
Hide Buttons