ICO fines British Airways £20m for data breach


19 October 2020

On 16 October 2020 the ICO fined British Airways (BA) £20m in respect of a 2018 data breach. Although this is the largest data protection fine ever imposed by the UK regulator, BA will no doubt be breathing a sigh of relief. The ICO had originally indicated that it would fine BA £183.39m.

BA breached data protection laws by failing to take appropriate security measures that would have prevented personal data being accessed during a cyber-attack. The penalty notice issued by the ICO identifies numerous failings and missed opportunities to improve data security. 

Over 400,000 customers were affected by the breach. The unsecured data accessed during the cyber-attack included names, addresses, payment card numbers and CVV numbers of 244,000 BA customers, the combined card and CVV numbers of 77,000 customers and card numbers only for a further 108,000 customers. Login details for BA employee and administrator accounts were also compromised and usernames and PINs of up to 612 BA Executive Club accounts accessed. 

BA did not detect the attack itself and only became aware of the breach some two months later after being alerted to it by a third party. BA did then act promptly in notifying the ICO. Because the breach exposed the personal data of citizens across the EU, the ICO investigated the matter on behalf of all EU authorities under a special cooperation process laid down in the General Data Protection Regulation (GDPR). All EU authorities have approved the £20m penalty imposed by the ICO. 

The ICO first issued a notice of intent to impose a fine against BA in July 2019, indicating that it would impose a fine of £183.39m. The ensuing 15 months have seen a number of delays, indicating a cautious approach by the regulator in its exercise of the enhanced fining powers introduced by the GDPR. The monetary penalty order finally issued by the ICO represents a staggering discount of more than £163m. It is thought that this discount is largely due to the impact of the current Covid pandemic on the airline. 

Whilst the £20m fine is the largest issued by the ICO, it is only the third largest GDPR fine that has been issued in Europe. The top spot is claimed by the French regulator, which fined Google €50m in 2019 for failure to collect valid consent before processing personal data. Google appealed the fine but was unsuccessful. The German regulator in Hamburg takes second place after fining clothing retailer H&M €35.3m in respect of excessive employee monitoring. 

Attention will now focus on the ICO’s proceedings against Marriott International Inc (Marriott). The ICO issued a notice of intention to fine the hotel chain £99m back in July 2019 but has not yet issued the fine. There are clear parallels between the BA and the Marriott cases. Both concerned a failure to implement appropriate security measures, resulting in large amounts of personal data being exposed during cyber-attacks and both businesses have been hit hard by the Covid pandemic. Quite how hard Marriott will be hit by the ICO remains to be seen. However, as the ICO is again acting on behalf of all EU authorities it seems likely that it will want to issue the fine before the end of the Brexit transition period on 31 December.

To discuss the legal issues regarding data protection further please contact Kitty Rosser or a member of Birketts Data Protection Team.

The content of this article is for general information only. It is not, and should not be taken as, legal advice. If you require any further information in relation to this article please contact the author in the first instance. Law covered as at October 2020.