First GDPR Proposed Fine Comes in at a Whopping $229 Million

On July 8, 2019, the UK’s Information Commissioner’s Office announced its intention to fine British Airways £183.39M ($229,377,293) for data breach infringements of the General Data Protection Regulation (GDPR).  This first publicly-disclosed GDPR penalty amounts to about 1.5% of British Airways’ worldwide turnover– which is still less than the possible maximum penalty of 4%.  Alex Cruz, British Airways chairman and chief executive officer, said in a press release:  “We are surprised and disappointed in this initial finding from the ICO.  British Airways responded quickly to a criminal act to steal customers’ data. We have found no evidence of fraud/fraudulent activity on accounts linked to the theft.”

According to the ICO, the massive fine was ultimately based on the harvesting of personal data of approximately 500,000 customers only one month after GDPR became enforceable.  The ICO investigation uncovered that “a variety of information was compromised by poor security arrangements at the company, including log in, payment card, and travel booking details as well name and address information.”

Given that the ICO’s final decision will take into consideration a formal response from British Airways and other data protection authorities, the fine will likely be modified in same way – this is also likely given there were new security procedures implemented by British Airways, there is no present evidence of fraud, and British Airways has already threatened an appeal.

At the time of the attack, British Airways provided very little information regarding how it was accomplished other than to say it impacted website and app bookings from August 21 to September 5, 2018 and that it was the victim of a “sophisticated, malicious criminal attack“.  One security expert posited that malicious code was planted on the website’s payments page using a modified version of the Modernizr JavaScript library.  Others have considered this attack caused by a cross-site scripting exploit.  No matter what the attack vector or exploit, this was clearly the sort of security lapse that has dogged many companies over the years.  To now have a potential $229 million fine waiting on the sidelines can only be considered yet another massive motivation to get one’s security house in order as soon as possible.

UPDATE: July 9, 2019

A day after the British Airways proposed fine, Marriott was hit with a $123 million proposed GDPR fine for a November 2018 breach.