The UK’s Information Commissioner’s Office (“ICO”) today (8 July 2019) announced its intention to fine British Airways (“BA”) £183.39m under the General Data Protection Regulation (“GDPR”) for a personal data breach. This is the highest fine issued so far by a European Union data protection supervisory authority for a personal data breach under the GDPR.
The breach, described as a “sophisticated, malicious criminal attack”, was first disclosed on 6 September 2018. Details of approximately 500,000 BA customers were compromised during the breach, which involved the diversion of user traffic from the BA website to a fraudulent website. The personal information compromised included names, email addresses and payment card details used during the booking process. The ICO indicated that BA cooperated with the ICO investigation and has made security improvements following the incident.