Our website uses cookies

Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing Essential Retail Magazine, you agree to our use of cookies.

Okay, I understand Learn more

British Airways fined £183.38 million for GDPR data breach

British Airways has received a fine under the new GDPR regulations for its data breach reported in September last year.

The Information Commissioner’s Office (ICO) has issued the airline owner IAG a fine of £183.39 million for a security breach which impacted half a million customers. It is the first fine to be made public since GDPR became EU law in May 2018.

Over the period of June to September 2018, hackers introduced malware which diverted British Airways customers to a fraudulent website, where details were harvested by the attackers. Customer log-in, payment card, travel and booking details, as well as name and addresses were stolen during the breach.  

The ICO has concluded that the attack occurred due to “poor security arrangements” at British Airways.

“People’s personal data is just that – personal,” said Information Commissioner, Elizabeth Denham. “When an organisation fails to protect it from loss, damage or theft it is more than an inconvenience. That’s why the law is clear – when you are entrusted with personal data you must look after it. Those that don’t will face scrutiny from my office to check they have taken appropriate steps to protect fundamental privacy rights.”

The ICO said British Airways has cooperated with the investigation and has since made improvements to its security.