British Airways gets huge GDPR fine

Josh Hall's picture

British Airways has received the biggest-ever fine following last year's breach of customer data.

The airline says it has been told it must pay £183 million - the biggest bill ever handed out by the Information Commissioner's Office (ICO).

The penalty is the first to be made public since the introduction of GDPR, under which penalties can reach 4 per cent of a company's annual worldwide turnover.

The £183 million figure represents 1.5 per cent of BA's 2017 worldwide turnover, and is substantially higher than the previous record £500,000 levied on Facebook after the Cambridge Analytica scandal - a penalty made under the rules that preceded GDPR.

British Airways says it will appeal the fine, and it has 28 days in which to do so.

Willie Walsh, chief executive of BA's owner IAG, said: "We intend to take all appropriate steps to defend the airline's position vigorously, including making any necessary appeals."

The fine relates to a massive breach of customer data announced in September last year.

BA says the breach affected 380,000 transactions, and included credit card numbers, expiry dates, and CVV codes.

The airline says passport information was not affected.

BA chairman and chief executive Alex Cruz said: "We are surprised and disappointed in this initial finding from the ICO.

"British Airways responded quickly to a criminal act to steal customers' data. We have found no evidence of fraud/fraudulent activity on accounts linked to the theft.

"We apologise to our customers for any inconvenience this event caused."

Buy your tickets for the Prolific London Awards

Buy your tickets for the Prolific London Awards