British Airways have been hit with a £20m fine from the Information Commissioner’s Office (ICO) after a data breach which began on 22 June 2018 and continued for over two months before being detected on September 5th 2018.


The data breach involved approximately 430,000 staff and customers, with around 244,000 of these having their full name, address, card number and CVV number exposed to hackers. BA systems were compromised by the attackers who had managed to divert users of BA website to a fraudulent site. It was only after a security researcher discovered the breach, that it was brought to BA attention two months after it had begun.

An investigation took place to consider whether sufficient security measures were in place at the time of the attack. Unfortunately for BA, the ICO noted that some of these measures which should have been in place, such as multi-factor authorisation, were available to them on the Microsoft operating system that they were using at the time of the breach, and the ICO concluded that the breach occurred due to BA having “poor security arrangements” in place to protect customer information being accessed. Because of this, BA breached data protection law and failed to protect themselves from a preventable cyber-attack.


Back in 2019, the Information Commissioner’s Office (ICO) set the fine for BA at £183.39m, which amounted to 1.5% of their £11.6bn worldwide turnover from 2018. After hearing this, BA was informed that they could appeal against the ICO’s findings and the scale of the fine before a final decision by the ICO.

After putting forward their representations regarding the attack, the Commissioner considered that “BA has cooperated fully with her investigation” which was taken into account. The impact of the Covid-19 pandemic was also taken into consideration, which aided in the reduction of the fine from £183.39m to £20m.

Despite the £163.39m reduction in the fine, this is still the biggest ever fine issued by the ICO under the new General Data Protection Regulation (GDPR).


The GDPR imposes strong disciplinary measures and fines for non-compliance and are designed to be “effective, proportionate and dissuasive” for each case. Article 83(5) of the GDPR states that for severe violations, the fines can be “up to €20m (£17.5m), or in the case of an undertaking, up to 4% of their total global turnover of the preceding financial year, whichever is higher”.

BA bosses have said to be fighting for survival at the moment due to the pandemic, which has forced the company to only operate 25-30% of its schedule. This reduced schedule has resulted in instances such as the first week of September, where they only flew 187,000 passengers compared to 1 million they flew during the same period in 2019.

As this is a potential landmark decision, due to being the first substantial fine under the new GDPR, the ICO took just over 25 months from the date of knowledge to come to their final decision as they have worked through the matter with a fine-tooth comb to ensure they make the right decision.

If circumstances were different, BA may not have been as fortunate to have the eye-watering figure of £183.4m reduced. In a post-pandemic world, the ICO may not be as generous.