Posted on 09 July 2019

ICO propose record-breaking GDPR fine following British Airways hack

Contact us

ICO propose record-breaking GDPR fine following British Airways hack

Following the theft of personal data from 500,000 customers during an attack last year, the ICO have proposed their largest penalty yet – £183.4 million, or 1.5% of British Airways’ 2017 worldwide turnover.

So, what happened?

A British Airways website failure compromised the personal details of roughly 500,000 customers.

The ICO argue that due to “weak security”, website traffic was diverted to a fraudulent site asking for customer details including log in information, payment details, names, addresses and more. This data was then harvested by fraudsters.

Information Commissioner Elizabeth Denham said:

“People’s personal data is just that – personal. When an organisation fails to protect it from loss, damage or theft it is more than an inconvenience. That’s why the law is clear – when you are entrusted with personal data you must look after it. Those that don’t will face scrutiny from my office to check they have taken appropriate steps to protect fundamental privacy rights.”

Why have BA been fined so much more than Facebook were?

The fine would be the largest the ICO has ever issued, making the £500,000 fine against Facebook for the Cambridge Analytica scandal that affected millions seem trivial.

Facebook were fined the maximum legal amount allowed under the UK’s previous data privacy regulation, the 1998 Data Protection Act. Under the new GDPR rules, a company can be fined a maximum of 4% of its worldwide turnover, and whilst the BA fine amounts to 1.5% and not the full 4%, it’s still a hefty price to pay.

GDPR applies to SMEs too!

With the awareness of GDPR and the rights people have over their own data increasing, the numbers of reported data breaches are going up too. According to a report published in June 2019, “the ICO has received around 14,000 data breach reports over the past year, which quadrupled from records of the preceding year.”

If your company processes personal data, whether you are a large corporation or an SME, you can be fined and/or named and shamed if you do not comply with GDPR guidelines.

At Infuse, we provide GDPR audits to ensure your company is compliant with requirements. For further information, please get in touch by emailing [email protected]