Stay Legal UK

News: ICO fines British Airways for its 2018 data breach

talking about personal data

The General Data Protection Regulations (GDPR) came into force in May 2018 and was incorporated into UK law with the Data Protection Act 2018 (DPA). The GDPR and DPA provided substantial fines compared to its predecessor. Companies can now be fined a maximum of ‘20 million Euros or 4% of the undertakings total annual worldwide turnover in the preceding financial year, whichever is higher.’

Since the introduction of the GDPR, British Airways (BA) was threatened in 2019 with a £183 million fine for a data breach of more than 400,000 people’s financial and personal details between August and September 2018. (The GDPR came into force on the 25 May 2018)

BA and the Information Commissioners Office (ICO) agreed to extend its regulatory process until the 31st March 2020. Recently, on the 16 October 2020 the ICO has released a Penalty Notice against British Airways plc.

It states that ‘between 22 June and 5 September 2018, a malicious actor (the Attacker) gained access to an internal BA application through the use of compromised credentials for a Citrix remote access gateway. After gaining access to the wider network, the Attacker traversed across the network. This culminated in the editing of a Javascript file on BA’s website ( The edits made by the Attacker were designed to enable the exfiltration of cardholder data from the website to an external third-party domain ( which was controlled by the Attacker.’

BA failed to admit liability for breach of the GDPR. However, the Penalty Notice states, ‘the Commissioner has found that BA failed to process the personal data of its customers in a manner that ensured appropriate security of the data, including: protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical and organisational measures, as required by Article 5 (1)(f) and by Article 32 GDPR.’

The amount the ICO has ‘decided to impose, having taken into account a range of mitigating factors’ ‘and the impact of the Covid-19 pandemic is £20 million.’

This highlights how important it is that you comply with the data protection principles of the GDPR, especially the integrity and confidentiality principle: You need to make sure you have appropriate and adequate security measures to protect the data you hold.

A Lawdit Stay Legal package will ensure that your website is legally complaint, giving you peace of mind. We will conduct a complete audit of your website to see if it needs anything to ensure compliance. We shall provide you with all the documents your website needs tailored to its needs. With a free initial consultation there is no need to delay, so book today!

Stay legal logo large



More From Stay Legal

Share this with your network
Share on linkedin
Share on twitter
Share on facebook
Share on email
Share on whatsapp