British Airways slapped with hefty £183m fine for 2018 data breach

British Airways plane

The fine relates to a cyber incident notified to the ICO by British Airways back in September 2018.

British Airways is facing a record fine of £183m for last year’s breach of its security systems, which the ICO says is the largest penalty it has handed out under the new General Data Protection Regulation (GDPR). 

The incident involved user traffic to the British Airways website being sent to a fraudulent site, where the attackers harvested BA customer details.

Personal data of approximately 500,000 customers were compromised in this incident, which is believed to have begun in June 2018.

The ICO revealed that it found a variety of information was compromised by poor security arrangements at the company, including log in, payment card, and travel booking details as well name and address information.

“People’s personal data is just that – personal. When an organisation fails to protect it from loss, damage or theft it is more than an inconvenience,” said Information Commissioner Elizabeth Denham.

“That’s why the law is clear – when you are entrusted with personal data you must look after it.

“Those that don’t will face scrutiny from my office to check they have taken appropriate steps to protect fundamental privacy rights.”

British Airways has cooperated with the ICO investigation and has made improvements to its security arrangements since these events came to light, according to the ICO.

“The BA fine demonstrates the paramount importance to business of getting security right,” said David Francis, IT security consultant, KCOM.


Time is precious, but news has no time. Sign up today to receive daily free updates in your email box from the Data Economy Newsroom.

“Data access must be controlled with the greatest of care, for the sake of customer privacy first and for the health and reputation of the business second.

“It’s essential to be able to identify when a breach has taken place, who accesses what information and where it has moved. Endpoint protection is not enough – the data is the target and the asset, so it’s data that must be secured, with as much granular insight into access privileges as possible.

“Only then can companies be rapidly notified of unauthorised access, and have a better chance of identifying the source of the leak at speed.”

Experts say that British Airways could have done more to keep the front end of their data network secure.

“The attack was made possible due to a major web based vulnerability in the front end of BA’s website which cyber attackers exploited using a common strain of malware, heavily customised to exploit the vulnerabilities of the BA network,” said Alex Bransome, Virtual Cyber Information Security Officer at Doherty Associates.

“It was a very well planned and targeted attack which allowed cyber criminals to skim off customer data and credit card details.

“BA should have been doing more to monitor, test and update their security systems to ensure there were no gaps in their cyber defence that hackers could take advantage of.

“Commonly organisations make the mistake of deploying security systems and then leaving them but this record £183m fine imposed on BA is a warning shot to all other organisations that the ICO is serious about fining anyone breaching GDPR regulations.

“To keep your front door secure and personal data protected at all times, companies must regularly run security checks and update their security systems to ensure any vulnerabilities are identified and patched so no gaps are left for cyber criminals to exploit.

“If not, they are leaving their customers’ data exposed, risking a GDPR compliance breach and major reputation damage.”