The UK’s Information Commissioner’s Office (“ICO”) today (8 July 2019) announced its intention to fine British Airways (“BA”) £183.39m under the General Data Protection Regulation (“GDPR”) for a personal data breach. This is the highest fine issued so far by a European Union data protection supervisory authority for a personal data breach under the GDPR.
The breach, described as a “sophisticated, malicious criminal attack”, was first disclosed on 6 September 2018. Details of approximately 500,000 BA customers were compromised during the breach, which involved the diversion of user traffic from the BA website to a fraudulent website. The personal information compromised included names, email addresses and payment card details used during the booking process. The ICO indicated that BA cooperated with the ICO investigation and has made security improvements following the incident.
The penalty is reported to amount to about 1.5% of the global annual turnover of BA in 2017.
The GDPR established two tiers of penalties that can be issued by data protection supervisory authorities – the standard maximum and the higher maximum. The standard maximum allows for a fine equal to the greater of 10 million Euros or 2% of total annual worldwide turnover in the preceding financial year of the relevant undertaking for a violation of certain provisions, whereas the higher maximum allows for the greater of 20 million Euros or 4% of the total annual worldwide turnover in the preceding financial year of the relevant undertaking for a violation of other provisions, including data protection principles or data subjects’ rights.
The penalty issued to BA falls under these thresholds, which may reflect BA’s cooperation with the ICO investigation and that it has made improvements to its security practices since the incident was discovered. BA has 28 days to make further representations to the ICO about the calculation of the fine before the ICO makes its final decision. The ICO has said that it will carefully consider any representations made by BA and the other European data protection authorities before it takes its final determination.