For general enquiries +44 (0)808 169 4320
  • Get in touch
  • About

    Birketts is a full service legal firm with offices throughout the East of England and in London.

    Whatever the challenge, we're here for you. As a proactive partner, we're always thinking about the changes and opportunities that you or your business will face, taking you to the next level.

    • Discover Birketts
    • Leadership Team
    • Offices
    • Environmental Social Governance
    • Compliance

    Our Culture

    Awards

  • Sectors
    • Agriculture
    • Banking & Finance
    • Care Homes
    • Charities & Not for Profit
    • Ecclesiastical
    • Education
    • Energy & Utilities
    • Family Business
    • Food
    • Healthcare
    • Housebuilders
    • Insurance & ReInsurance
    • International Services
    • Leisure & Tourism
    • Local Government
    • Motor Industry
    • Public Sector
    • Real Estate Investment
    • Retail
    • Shipping & International Trade
    • SIPPs / SSASs
    • Social Housing
    • Transport & Logistics
  • Services
    Services for business Services for individuals
    for business
    for individuals
    for business
    • Agriculture
    • Banking & Finance
    • Commercial Property
    • Commercial & Technology
    • Competition
    • Construction & Engineering
    • Corporate, Mergers and Acquisitions
    • Data Protection Services
    • Employee Incentives
    • Employment
    • Franchising
    • Health & Safety
    • Immigration Services
    • Intellectual Property
    • International Services
    • Litigation & Dispute Resolution
    • Planning & Environment
    • Property Disputes
    • Public Inquiries
    • Regulatory & Corporate Defence
    • Restructuring & Insolvency
    • Shipping & International Trade
    • Tax
    for individuals
    • Agriculture
    • Construction
    • Contentious Trust & Probate
    • Court of Protection
    • Data Protection Services
    • Dispute Resolution
    • Employment
    • Estate Planning & Wills
    • Family
    • Financial Crime
    • Immigration Services
    • International Services
    • Leasehold Enfranchisement
    • Motoring Offences
    • Personal Taxation
    • Private Criminal Defence
    • Probate
    • Property Disputes
    • Public Inquiries
    • Residential Property
  • Our People
  • Insight

    Legal Updates

    News

    Newsletters

    Events

    Webinars

    Podcasts

    Shaping excellence

  • Join us
    • Current Vacancies
    • Our Story
    • Life at Birketts
    • Learning & Development
    • Benefits at Birketts
    • Environmental Social Governance
    • Recruitment Contacts

    Graduates

    Business Services

    Legal Secretaries

    Lawyers

  • Home
  • Legal Updates
  • ICO fines British Airways £20m for data breach
Share on
ICO fines British Airways £20m for data breach
October 19, 2020

On 16 October 2020 the ICO fined British Airways (BA) £20m in respect of a 2018 data breach. Although this is the largest data protection fine ever imposed by the UK regulator, BA will no doubt be breathing a sigh of relief. The ICO had originally indicated that it would fine BA £183.39m.

BA breached data protection laws by failing to take appropriate security measures that would have prevented personal data being accessed during a cyber-attack. The penalty notice issued by the ICO identifies numerous failings and missed opportunities to improve data security. 

Over 400,000 customers were affected by the breach. The unsecured data accessed during the cyber-attack included names, addresses, payment card numbers and CVV numbers of 244,000 BA customers, the combined card and CVV numbers of 77,000 customers and card numbers only for a further 108,000 customers. Login details for BA employee and administrator accounts were also compromised and usernames and PINs of up to 612 BA Executive Club accounts accessed. 

BA did not detect the attack itself and only became aware of the breach some two months later after being alerted to it by a third party. BA did then act promptly in notifying the ICO. Because the breach exposed the personal data of citizens across the EU, the ICO investigated the matter on behalf of all EU authorities under a special cooperation process laid down in the General Data Protection Regulation (GDPR). All EU authorities have approved the £20m penalty imposed by the ICO. 

The ICO first issued a notice of intent to impose a fine against BA in July 2019, indicating that it would impose a fine of £183.39m. The ensuing 15 months have seen a number of delays, indicating a cautious approach by the regulator in its exercise of the enhanced fining powers introduced by the GDPR. The monetary penalty order finally issued by the ICO represents a staggering discount of more than £163m. It is thought that this discount is largely due to the impact of the current Covid pandemic on the airline. 

Whilst the £20m fine is the largest issued by the ICO, it is only the third largest GDPR fine that has been issued in Europe. The top spot is claimed by the French regulator, which fined Google €50m in 2019 for failure to collect valid consent before processing personal data. Google appealed the fine but was unsuccessful. The German regulator in Hamburg takes second place after fining clothing retailer H&M €35.3m in respect of excessive employee monitoring. 

Attention will now focus on the ICO’s proceedings against Marriott International Inc (Marriott). The ICO issued a notice of intention to fine the hotel chain £99m back in July 2019 but has not yet issued the fine. There are clear parallels between the BA and the Marriott cases. Both concerned a failure to implement appropriate security measures, resulting in large amounts of personal data being exposed during cyber-attacks and both businesses have been hit hard by the Covid pandemic. Quite how hard Marriott will be hit by the ICO remains to be seen. However, as the ICO is again acting on behalf of all EU authorities it seems likely that it will want to issue the fine before the end of the Brexit transition period on 31 December.

To discuss the legal issues regarding data protection further please contact Kitty Rosser or a member of Birketts Data Protection Team.

Kitty Rosser

View profile

The content of this article is for general information only. It is not, and should not be taken as, legal advice. If you require any further information in relation to this article please contact the author in the first instance. Law covered as at October 2020.

Join us

  • Business services
  • Experienced lawyers
  • Graduates

Information

  • Anti Slavery
  • Cookies
  • Fees
  • Statement

Find us

  • Contact us
  • Our People
  • Offices

Subscribe

  • Subscribe
© Copyright Birketts LLP 2022 All rights reserved
Follow us: