Now Departing: £20m from British Airways

The empennage of three British Airways planes.

Photo taken by Arie Wubben

Now Departing: £20m from British Airways

British Airways airline company has been fined the “biggest to date” sum of £20 Million, by the Information Commissioner’s Office (ICO) for failing to protect the personal data of data subjects which resulted in a security breach.


In June 2018, a cyber-attack was carried out on the company that lay undetected for more than two months. During the attack, it was believed that details belonging to over 400,000 customers and staff were accessed. The types of personal data compromised included; addresses, names, credit/debit card details such as CVV numbers, many account details such as usernames and passwords of employees belonging to British Airways, and passenger travel information.


Due to the nature of the security breach, the ICO launched an investigation. They came to the verdict that there was a significant amount of personal data being processed without adequate security measures in place, and therefore breached UK/EU data protection law. Specifically, it was noted that:

  • Although features such as multi-factor authentication were available, they were not in place at the time of the security breach. This allowed the criminals to exploit vulnerable repositories of data.
  • Access to applications, data, and tools was not limited to the minimum number of people that required it.
  • More rigorous testing was needed, such as simulated cyber-attacks on the businesses’ systems.
  • There was a distinct lack of awareness of the breach. It was only noticed by a third-party who notified BA two months after the attack was carried out. It is unclear how or when BA would have recognised the cyber-attack took place without this third-party contact.


On a more positive note, it was recognised that BA co-operated fully throughout the investigation and significant improvements have been implemented since the incident. Additionally, it was observed that BA communicated effectively to affected data subjects.

What can we learn from this?

The key takeaways are:

  • Although it has been two years since the incident, BA were eventually punished. This shows that the ICO are being very meticulous in their approach to incidents like these. They are determined to get the decision right.
  • The fine is still heavy. With the original estimated sum of £183 million being reduced due to the current economic strain in a Covid-19 environment, the fine remains a painful takeaway of BA’s negligence, who’s profits are already being hammered due to travel restrictions. This outlines how much importance is being given to the safeguarding of personal data by companies and should act as a warning sign of things to come if data subjects are not protected. By far the bigger punishment for BA is the huge amounts of negative press which they have received.
  • The cost and implementation of measures to safeguard data is insignificant to the staggering costs that an organisation can face for failing to adhere to the GDPR. It pays to be due diligent.

It’s too late for BA to change what has happened but for other companies there is still a chance to obtain GDPR Compliance Peace of Mind. Using an external organisation such as Tacita to provide an outside perspective of the organisation’s GDPR standing without the fear of receiving a fine is the perfect opportunity to highlight areas of risk before they become fully fledged security breaches.


Find out more today and contact us.


About Us: Tacita is a leading General Data Protection Regulation (GDPR) compliance specialist operating from their base in the United Kingdom. This company helps clients maintain their GDPR compliance by undertaking independent external GDPR assessments in a cost-effective manner with minimal disruption to the client. Offering clear and actionable solutions, the company offers an unbiased service ensuring their clients save time, money, and energy when it comes to their GDPR requirements. Tacita provides a three-step process, which includes assessments, recommendations and resolutions with detailed reporting and data processing, record processing and privacy policies. Full details can be found at https://www.tacita.io/

Send us a message

Telephone: 020 3998 9504
Email: contact@tacita.io

To see how we use your data, see our Privacy Notice.