The Most Comprehensive Data Protection Solution

Discover, classify, and protect your data from all threats with the only Gartner Magic Quadrant DLP and Forrester Wave EDR Leader.

First and Only Solution to Converge:

  • Data Loss Prevention
  • Endpoint Detection and Response
  • User and Entity Behavior Analytics
DATAINSIDER

Digital Guardian's Blog

Airline Facing Record Breaking $229 Million GDPR Fine

by Chris Brook on Monday July 8, 2019

Contact Us
Free Demo
Chat

The fine would be the largest against a company post-GDPR and roughly 1.5 percent of the company's annual revenue.

One of the largest airlines in the world is facing a record fine, $229 million, following what the UK's privacy watchdog alleges is a violation of the European Union’s General Data Protection Regulation (GDPR).

The U.K. Information Commissioner’s Office (ICO) announced its intention to fine the airline, British Airways, on Monday in an announcement to the London Stock Exchange. The fine, £183.39m, stems from an incident the company was forced to report to the ICO, the UK's main data protection authority, last fall.

The incident, which made headlines shortly after it happened, involved the compromise of more than 500,000 card payments made through its website and mobile app in August 2018. Any travelers who made bookings or changes to bookings between August 21 and September 5 were likely involved. The airline said at the time that customers' names, billing addresses, email addresses, and bank card details may have been compromised, in addition to travel booking details.

The ICO said its investigation yielded that "poor security arrangements" were to blame for leaking the data.

If approved, the fine will easily be the largest under GDPR; the previous record, a fine against Google for $57 million, was levied in January.

The company told publications, including the Washington Post, on Monday that it was upset with the intent to fine.

"British Airways responded quickly to a criminal act to steal customers’ data.  We have found no evidence of fraud/fraudulent activity on accounts linked to the theft. We apologise to our customers for any inconvenience this event caused," the company said in a statement on Monday.

The ICO reiterated that the GDPR is clear when it comes to data theft.

“People’s personal data is just that—personal. When an organisation fails to protect it from loss, damage or theft it is more than an inconvenience,” Elizabeth Denham, the Information Commissioner said Monday. “That’s why the law is clear—when you are entrusted with personal data you must look after it. Those that don’t will face scrutiny from my office to check they have taken appropriate steps to protect fundamental privacy rights.”

Under GDPR a company can be fined a maximum of 4 percent of its worldwide turnover. The British Airways fine is roughly 1.5 percent of British Airways' 2017 revenue, meaning it’s in line with the law.

Tags: GDPR

Recommended Resources


  • Understand technologies that enable compliance
  • Common pitfalls and challenges to be aware of
  • How to build a sustainable GDPR compliance program
  • The people, process, and technology impacts of GDPR
  • The top challenges to GDPR compliance
  • How to address them and improve your GDPR position

Chris Brook

Chris Brook is the editor of Data Insider. He is a technology journalist with a decade of experience writing about information security, hackers, and privacy. Chris has attended many infosec conferences and has interviewed hackers and security researchers. Prior to joining Digital Guardian he helped launch Threatpost, an independent news site which is a leading source of information about IT and business security for hundreds of thousands of professionals worldwide.