British Airways (‘BA’) are facing a historic fine of £183m following a major data breach reported by the Information Commissioner’s Office (‘ICO’) on 6th September 2018 in which hackers successfully stole customers’ personal data consisting of passenger login details, card details, addresses and travel booking information. The ICO had previously reported that the personal data of around 500,000 passengers was stolen from BA’s website and the mobile app in a different data breach which purportedly started in June 2018.
Following the entry into force of the General Data Protection Regulation (‘GDPR’) on 25th May 2018, this is the first penalty for a personal data breach that has been made public and it demonstrates the serious nature of the approach undertaken by the ICO when personal data is not treated with the upmost care.
Although this constitutes a significant fine for BA, the ICO has the power to penalise a company for a serious data breach for the higher of either up to 4% or €20m of annual turnover, which could have resulted in a fine of around £460m.
To put the impact of the GDPR into context, some insight is provided by comparing this penalty to the one faced by Cambridge Analytica. Cambridge Analytica was fined £500,000 for a personal data breach that affected around 87 million users; the BA breach affected around 0.6% of the number of people affected by the Cambridge Analytica breach. However, at the time the fine facing Cambridge Analytica was governed by the Data Protection Act 1998, which set the maximum fine for a data breach at £500,000.
Elizabeth Denham, the Information Commissioner, said in relation to the BA data breach that “people's personal data is just that - personal. When an organisation fails to protect it from loss, damage or theft it is more than an inconvenience. The law is clear, when you are entrusted with personal data you must look after it. Those that don’t will face scrutiny from my office to check they have taken appropriate steps to protect fundamental privacy rights.”
Following the issue of the notice, Willie Walsh, Chief Executive of IAG, stated that British Airways would be making representations to the ICO and that "we intend to take all appropriate steps to defend the airline's position vigorously, including making any necessary appeals".
© 2019 Whitestone Chambers