An investigation by ICO finds British Airways infringing GDPR

Updated: Apr 14, 2020

Following an in-depth investigation, the ICO has issued a notice of its intention to fine British airways £183.39M for infringements of GDPR.

You can read the press release on the ICO website here

The proposed fine pertains to a cyber incident notified to the ICO by British airways in September 2018. This incident in part involved user traffic to the British Airways website being diverted to a fraudulent web site. Through this fraudulent website online, customer details were harvested by the attackers. Personal data of about 500,000 customers were compromised, which could have started back in June 2018.

The ICO’s research has found that a variety of information was compromised by bad security arrangements at the corporation, including login, payment card, and travel booking details as well as a name and address information.

Information Commissioner Elizabeth Denham stated: “people’s personal data is just that – personal. When an organisation fails to protect it from loss, damage or theft it is more than an inconvenience. That’s why the law is clear – when you are entrusted with personal data, you must look after it.those that don’t will face scrutiny from my office to check they have taken appropriate steps to protect fundamental privacy rights.”

British airlines have cooperated with the ICO investigation and have made upgrades to its security arrangements since these events came to light. The organisation will now have the opportunity to make representations to the ICO as to the proposed findings and sanction.

ICO has been investigating this case as lead supervisory authority on behalf of other European Member state data protection authorities.

It has additionally liaised with other regulators. Under the GDPR ‘one-stop-shop’ provisions, the data protection authorities in the European whose residents have been affected will also have the chance to comment on the ICO’s findings.

The ICO will consider carefully the representations made by the organisation and the other concerning data protection authorities before it takes its final decision.