On July 8, 2019, the UK’s Information Commissioner’s Office announced its intention to fine British Airways £183.39M ($229,377,293) for data breach infringements of the General Data Protection Regulation (GDPR). This first publicly-disclosed GDPR penalty amounts to about 1.5% of British Airways’ worldwide turnover– which is still less than the possible maximum penalty of 4%. Alex Cruz, British Airways chairman and chief executive officer, said in a press release: “We are surprised and disappointed in this initial finding from the ICO. British Airways responded quickly to a criminal act to steal customers’ data. We have found no evidence of fraud/fraudulent activity on accounts linked to the theft.”
According to the ICO, the massive fine was ultimately based on the harvesting of personal data of approximately 500,000 customers only one month after GDPR became enforceable. The ICO investigation uncovered that “a variety of information was compromised by poor security arrangements at the company, including log in, payment card, and travel booking details as well name and address information.”
Given that the ICO’s final decision will take into consideration a formal response from British Airways and other data protection authorities, the fine will likely be modified in same way – this is also likely given there were new security procedures implemented by British Airways, there is no present evidence of fraud, and British Airways has already threatened an appeal.
UPDATE: July 9, 2019
A day after the British Airways proposed fine, Marriott was hit with a $123 million proposed GDPR fine for a November 2018 breach.