GDPR: British Airways faces record fine of £183.39M8 July, 2019
The UK’s Information Commissioner’s Office (ICO) has today issued a statement in relation to its intention to fine British Airways (“BA”) £183.39M for infringements of the GDPR.
The matter relates to a cyber security incident notified by BA to the ICO in September 2018 and believed to have started in June of that year. Described by BA as a “sophisticated, malicious criminal attack” on its website, the incident resulted in users of the BA website being diverted to a fraudulent site through which their personal data (including personal data of a financial nature) was harvested. Approximately 500,000 BA customers were affected.
In Europe, the principles relating to the processing of personal data are set out under the GDPR and national data protection laws. Article 5(1)(f) of the GDPR specifically provides that personal data shall be “processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures”. A controller of personal data, such as BA, is responsible for complying with the principles laid down under the GDPR in relation to the processing of personal data and must be in a position to demonstrate this compliance.
According to the ICO, however, BA’s poor security arrangements compromised user information, including log in, payment card, travel booking details and name and address information.
Before the ICO issues its final decision, BA will have an opportunity to make representations as will the other concerned supervisory authorities in the EU.
For more information please click here.
This highlights the importance of having robust technical and organisational measures in place to help ensure the lawful and secure processing of personal data, including on websites.