DMA on ICO's Proposed Fine for British Airways

In September 2018, British Airways (BA) suffered a hack that meant the personal information of its customers was breached. At the time, the Chief Exec Alex Cruz was quick to apologise for what he described as a “sophisticated, malicious criminal attack” on its website and the DMA commented on the importance of data security and building consumer trust.

Today the Information Commissioner’s Office (ICO) has announced its intention to fine BA £183.39m under the General Data Protection Regulation (GDPR) for the data breach, following an investigation by the regulator. In the announcement, Information Commissioner Elizabeth Denham said: “People’s personal data is just that – personal. When an organisation fails to protect it from loss, damage or theft it is more than an inconvenience.”

Commenting on the news, Rachel Aldighieri, MD of the DMA said: “This is the first fine the ICO has announced under the new GDPR laws and the level of the proposed fine is unprecedented in the UK, highlighting the importance all businesses should place on the security of customers’ data.”

The potential fine represents one of the first under the GDPR that has gone over the previous maximum of £500k – fines under the GDPR can be up to 4% of global turnover or €20m.

“Data is a fundamental part of the digital economy, so maintaining its security must be a business imperative. Trust in how brands collect, store and use data is essential to the relationship between businesses and their customers. The risks to BA go beyond the potential fines regulators can issue too, the long-term effects on customer trust, share price and public perception could have more lasting damage.”

So what did the ICO find BA in breach of?

The ICO added that the incident took place after users of British Airways' website were diverted to a fraudulent site. While visiting this false site, details of about 500,000 customers were collected by the hackers.

The ICO stated that its investigation found that a variety of information was compromised by poor security arrangements at the company, including log in, payment card, and travel booking details as well name and address information.

The ICO also mentioned at the end of its announcement that it will carefully consider any representations made by BA before making its final decision. So we will have to wait and see what the outcome of any further discussions between the brand and regulator reveal.