BA hit with 'biggest fine to date' from UK regulator for GDPR breach

ICO had initially proposed £183m penalty to airline for 2018 data breach but scaled back to £20m due to financial impact of COVID-19

British Airways has been slapped with a £20m fine for a GDPR breach, the biggest to date from The Information Commissioner's Office (ICO).

The ICO investigated a cyberattack in 2018 which saw half a million customers' details harvested by hackers. It last year issued the airline with a notice of intention to fine, proposing a £183m levy under GDPR.

However, the regulator considered representations from BA and the economic fallout from COVID-19 on the airline before issuing the £20m penalty.

The ICO investigation found that BA was processing "a significant amount of personal data without adequate security measures in place" and that this inadequacy broke data protection law under GDPR, leading BA to be the target of a cyberattack in June 2018, which it did not detect for more than two months.

"People entrusted their personal details to BA and BA failed to take adequate measures to keep those details secure," stated information commissioner Elizabeth Denham.

"Their failure to act was unacceptable and affected hundreds of thousands of people, which may have caused some anxiety and distress as a result. That's why we have issued BA with a £20m fine - our biggest to date.

"When organisations take poor decisions around people's personal data, that can have a real impact on people's lives. The law now gives us the tools to encourage businesses to make better decisions about data, including investing in up-to-date security."

Martin Courtney, principal analyst at market watcher TechMarketView, stated that the BA case provides a "blueprint" for GDPR and what counts as acceptable cybersecurity protection for private data.

"Despite being trimmed, BA's £20m fine is still the largest ever served in the UK for a data protection breach and is intended as a warning from the ICO to others," he stated.

"But it also provides a blueprint for the timescale involved in investigating and ruling on GDPR misdemeanours, and an indication of what will be judged as acceptable cybersecurity provision to protect citizen's private data and what will not."