The UK Information Commissioner’s Office (“ICO”) has issued a notice of intention to fine British Airways following an extensive investigation into the British Airways cybersecurity incident (notified by British Airways to the ICO in September 2018).  The fine of £183.4 million relates to various alleged infringements of the EU General Data Protection Regulation (“GDPR”).

According to the ICO’s press release, the cybersecurity incident in question involved a hack that caused user traffic to the British Airways customer website to be diverted to a fraudulent site. The false site was then able to harvest the personal information of approximately 500,000 British Airways customers. The ICO commented that its investigation revealed “poor security arrangements”  including in relation to the security of customers’ log in, payment card, and travel booking details as well name and address information.

The proposed fine, if enforced by the ICO, will be the largest penalty levied under the GDPR to date. The ICO has not yet detailed the basis upon which it has calculated the size of the fine, however the sum is equal to approximately 1.5% of British Airways’ global passenger turnover in 2018 (£11.6billion), falling short of the maximum fine which can be levied under the GDPR (which is up to 4% of  group annual worldwide turnover).

The proposed fine would certainly set the tone for UK enforcement, further emphasised by the comments of the UK Information Commissioner, Elizabeth Denham, who stated:

People’s personal data is just that – personal. When an organisation fails to protect it from loss, damage or theft it is more than an inconvenience. That’s why the law is clear – when you are entrusted with personal data you must look after it. Those that don’t will face scrutiny from my office to check they have taken appropriate steps to protect fundamental privacy rights.”

British Airways is reported to have been cooperative with the ICO’s investigation and now has the opportunity to make representations to the ICO before a final sanction is imposed.

The ICO’s press release can be found here.