British Airways faces $230M GDPR fine for 2018 data breach

The Information Commissioner's Office plans to hit the airline over a data breach that affected 500,000 customers.

Sean Keane Former Senior Writer
Sean knows far too much about Marvel, DC and Star Wars, and poured this knowledge into recaps and explainers on CNET. He also worked on breaking news, with a passion for tech, video game and culture.
Expertise Culture | Video Games | Breaking News
Sean Keane
2 min read

British Airways faces a $230 million fine.

Andrew Hoyle/CNET

The Information Commissioner's Office in the UK on Monday revealed its plan to slap British Airways with a £183.4 million ($230M) fine over a 2018 data breach, one of the ICO's biggest fines since the General Data Protection Regulation came into effect. The breach is believed to have impacted 500,000 people, the regulator noted.

The breach, which BA disclosed in September, saw people visiting its website being diverted to a fraudulent site, where details including name, billing address, email address and payment information were harvested. 

The initial disclosure said the breach happened between August and September, impacting 380,000 card payments. The airline later said that 185,000 people who made bookings between April and July may have been similarly compromised.

Watch this: Finding our personal data on the dark web was far too easy

Information Commissioner Elizabeth Denham said in a statement that "the law is clear" when it comes to people's personal data.

"When you are entrusted with personal data you must look after it," she wrote. "Those that don't will face scrutiny from my office to check they have taken appropriate steps to protect fundamental privacy rights."

The $230 million fine is 1.5% of BA's global turnover for the year, its parent company International Airlines Group noted in a statement. Under GDPR, companies can be fined the equivalent of $22.4 million or 4% of their total annual worldwide revenue in the preceding financial year, whichever is higher.

"We are surprised and disappointed in this initial finding from the ICO. British Airways responded quickly to a criminal act to steal customers' data," Alex Cruz, BAs's chairman and chief executive, said. "We have found no evidence of fraud/fraudulent activity on accounts linked to the theft. We apologise to our customers for any inconvenience this event caused."

Willie Walsh, IAG's chief executive, noted that the company plans to appeal the fine. It has 28 days to do so, our sister site ZDNet noted.

First published at 3:26 a.m. PT.
Updated at 4:55 a.m. PT: Adds more detail.

7 excellent security cameras that work with Amazon Alexa

See all photos