British Airways fined £20m by ICO due to data breach

British Airways has today received a fine of £20m by the Information Commissioner’s Office (ICO), following a data breach that affected more than 400,000 of the airline’s customers.

The data breach took place in 2018 and affected the customers’ personal and credit card information. It took two months for BA to recognise the breach, and make the ICO aware of the issue.

Initially, the ICO issued a £183m fine in 2019 following the breach. However, this is still the largest penalty issued by the ICO to date.

Information Commissioner Elizabeth Denman said: “When organisations take poor decisions around people’s personal data, that can have a real impact on people’s lives. The law now gives us the tools to encourage businesses to make better decisions about data, including investing in up-to-date security.”

Industry reaction

Gareth Oldale, partner and head of data privacy and cybersecurity at UK law firm TLT said: “The original ICO notification was a notice of intention to fine, not a notice of the fine itself. BA challenged the original £183m and – by any measure – has been successful in convincing the ICO to reduce the level of that fine by nearly 90%.

“Reasons for the reduction are likely to include: BA having been able to demonstrate the steps it has taken to address the causes of the breach, no doubt emphasising that it was the target of a criminal attack; BA successfully landing some legal arguments as to why the level of the fine was disproportionate in the first place; and the Covid-19 impact on the aviation sector generally and BA specifically. One factor taken into consideration by the ICO when setting fines is that the level of the fine must have a dissuasive effect. Prior to Covid-19, £183m was more proportionate to BA as an organisation. Post Covid-19, the ICO may have taken the view that £20m is still sufficiently high to have a dissuasive effect.

“This represents the highest fine ever issued by the ICO, and is a huge step on from the £500,000 fines issued to transgressors prior to the implementation of the GDPR. However, having grabbed the headlines by issuing notice of its intention to fine £183m, reducing that to £20m cannot look like anything other than a huge capitulation on the part of the Regulator. There are no doubt good reasons behind the reduction – and we can all sympathise with the unforeseen impact of Covid-19 – but having made such a bold statement of intent at the outset, the eventual result – which has come at the end of a long delay – looks weak.”

“It is clear now that challenging the ICO’s intention to fine appears to be an investment worth making, at least when the fines are high value. Aside from the massive reduction in the level of the fine, BA has also successfully bought itself lots of time, which helps with the payment profile of the fine. £20million is still a major sum of money, and so organisations cannot be blasé about GDPR compliance. However, this reduction – coupled with what is likely to be a similar reduction in the Marriott enforcement action that has been running in parallel – does look encouraging from a corporate perspective.”

Aman Johal, Lawyer and Director of law firm Your Lawyers, said: ““It is concerning that British Airways has been fined just £20m after a significant climb down from the ICO’s provisional intention to fine the airline £183m following their 2018 data breach. A reduction of £163m – almost 90% – means the final fine is a drop in the ocean for BA.

“The fact that this agreed fine is a clear admission of liability from BA now cannot be ignored. There is now no excuse in BA defending the compensation action any longer, and they must agree to compensation settlements immediately. More delays in doing the right thing serves only to further damage the BA brand following numerous scandals in recent years. The change in CEO is an opportunity for the airline to show proper leadership and get a hold of BA’s dwindling reputation. Resolving the compensation action is a key part of this.

“The ICO’s earlier record intention to fine was a landmark moment. It set the standard as a candid warning that is so desperately needed at a time when large scale data breaches are rampant. I am concerned that such a significant climb down undermines the GDPR and its ability to act as a credible deterrent to big business by sending the message that they can orchestrate their way out of paying substantial financial penalties. If this is to be a trend, the only real deterrent against large corporations breaching the GDPR will be the pursuit of large group action claims for compensation, like the one against British Airways.”