British Airways Faces $230 Million Penalty for Data Breach

British Airways (BA) faces a $230 million fine as its weak website security exposed personal data of some 500,000 customers.

The penalty is the largest imposed so far under the European Union’s General Data Protection Regulation (GDPR). The strict rule which protects EU members’ personal details came into force last year.British Airways Faces 0 Million Penalty for Data Breach

The Information Commissioner’s Office (ICO), which enforces the rule in the UK, cited the airline’s weak data protection. ICO noted that poor security allowed user traffic to be diverted from the BA’s website to a bogus page. The breach in customers’ personal information started in June 2018.

The regulator said the airline, which is owned by IAG, will have a chance to challenge the said fine.


The UK ‘s flag carrier said it was “surprised and disappointed” by the multi-million fine. BA said it was some “sophisticated” hackers who had launched a “malicious criminal attack” on its website.

Travel, Passport Data Unexposed

The incident was first disclosed in September last year. The airline had initially reported that around 380,000 transactions were affected. However, it said that the breached data did not include travel or passport information.

BA said the stolen information involved names and email addresses. It also revealed credit card information, including credit card numbers, expiration dates, and CVV codes

ICO said the airline had cooperated with its probe and had since stepped up its security.

Tougher Privacy Rules

The implementation of GDPR was the most significant overhaul in data privacy regulation in 20 years.


The fine imposed on BA is the first one to be announced in public since the introduction of the rules. One of the GDPR rules was the mandatory reporting of data security breaches to the information commissioner.

The ruling also increased the maximum penalty to 4% of the offending company’s total turnover. In the case of BA, the penalty only amounts to 1.5% of its global revenue in 2017.

Before GDPR took effect, the biggest penalty was £500,000 ($560,700) imposed on Facebook. The social media giant was fined for its involvement in the Cambridge Analytica data scandal. The amount was the maximum allowed under the Data Protection Directive, the data protection rules preceding GDPR.

Information Commissioner Elizabeth Denham said personal data of people should be strictly private. Companies must then look after the personal data entrusted to them. She warned those failing to do so will face scrutiny for the protection of their customers’ privacy rights.