British Airways faces record €205m fine over data theft

Britain’s data protection regulator proposes fine over breach on website last year

British Airways is facing a record £183 million (€204.5 million) fine following the theft of customer data in 2018.

The airline said on Monday it was notified that the UK information commissioner (ICO) planned to impose the penalty, which amounts to 1.5 per cent of British Airways’ worldwide turnover in 2017.

BA disclosed in September 2018 that hackers had stolen data relating to about 380,000 customers from its website and mobile app during a two-week period beginning on August 21st, at the height of the summer holiday season.

It then announced in the October that hackers had stolen the credit card details of 185,000 more customers than previously declared and over a longer period.


The attack involved traffic to the British Airways website being diverted to a fraudulent site, where customer details such as log in, payment card and travel booking details as well as names and addresses were harvested, the ICO said.

The ICO said in a statement that it had found that a variety of information was compromised by poor security arrangements at BA, including log in, payment card, travel booking details and name and address information.

Elizabeth Denham, the information commissioner, said: “People’s personal data is just that – personal. When an organisation fails to protect it from loss, damage or theft it is more than an inconvenience. That’s why the law is clear – when you are entrusted with personal data you must look after it.”

“Those that don’t will face scrutiny from my office to check they have taken appropriate steps to protect fundamental privacy rights.”

The ICO added that British Airways had co-operated with the investigation and had since made improvements to its security arrangements. The airline will also have the opportunity to make representations to the ICO as to the proposed findings and sanction, it said.

Alex Cruz, British Airways chairman and chief executive, said on Monday: “We are surprised and disappointed in this initial finding from the ICO. British Airways responded quickly to a criminal act to steal customers’ data. We have found no evidence of fraud/fraudulent activity on accounts linked to the theft.”

Willie Walsh, chief executive of IAG, the airline’s parent company, said: “We intend to take all appropriate steps to defend the airline’s position vigorously, including making any necessary appeals.”

Analyst Gerald Khoo at broker Liberum said the proposed fine equated to about 9 pence per IAG share.

“While IAG has more than adequate liquidity to cover the fine, the penalty is still substantial,” he said.

The ICO, which could impose fines up to £500,000 under previous rules, had also investigated BA on behalf of other European regulators. – Copyright The Financial Times Limited 2019/Additional material Reuters