Download PDF

BA facing £183.39m fine for GDPR data breach

July 2019
James Hutchinson

The Information Commissioner’s Office has announced its intention to issue British Airways with a penalty notice for £183.39m concerning infringements of the General Data Protection Regulation (GDPR). The fine represents the first the ICO has proposed under the GDPR and amounts to approximately 1.5% of BA’s £11.6bn worldwide turnover.

In September 2018, BA notified the ICO that it had suffered the theft of customer data from its website and its mobile app. The stolen data included personal and financial details of customers who had made online bookings and changes to those bookings. Personal data of approximately 500,000 customers were compromised in the incident, which is believed to have started in June 2018.

The ICO found that the breach was caused by poor security arrangements at BA. Data that was compromised included login, payment card, travel booking details, and customer names and addresses.

James Hutchinson, a Partner at Beale & Co, said:

This is the biggest fine the ICO has given and the first made public under the GDPR. The ICO has signalled that all organisations have an obligations to look after personal data with which they are entrusted. Those that do not will face scrutiny and substantial fines.

Organisations need to check they not only have proper procedures in place but they are being regularly reviewed and tested. BA was fined despite cooperating with the ICO and having made improvements to its security arrangements since the events came to light.

The ICO will now consider representations made by BA and other international data protection authorities before it takes its final decision. BA has said they will take all appropriate steps to defend the airline’s position, including making any necessary appeals.

If you have any queries on data protection, please do not hesitate to contact James Hutchinson at or at +44 (0) 20 7469 0408.

Download PDF