The BA data breach fine – is it enough?

BA data breach

Following the British Airways data breach in 2018, where almost 500,000 customers were affected, the Information Commissioners Office (ICO) has issued its final fine. The BA data breach fine was announced to be just £20 million – a significant 90% less than the initial proposed intention to fine last year of £183m.

Though £20 million is no small amount, for the international airline, the question is whether this data breach fine is enough to have a proper impact. In terms of how the ICO decides how much it should fine data breach offenders, it should be enough to have a ‘dissuasive effect’ on the company and others in order to warn them from committing further data breaches.

In the case of the BA data breach fine, it is not seen as a high enough amount to have a dissuasive effect when you consider how much of the original proposed amount has been wiped out.

About the British Airways data breach

The British Airways data breach occurred in 2018, affecting customers who made or changed a booking between 10:58pm on 21st August 2018 and 9:45pm on 5th September 2018. British Airways announced that customers who made a reward booking between 21st April 2018 and 28th July 2018 could also be affected.

The data breached included: names, travel information, email addresses, billing addresses, and payment card details, including the CVV number on the back of the card in some cases. This information is extremely sensitive and was available for over two weeks during the attack before the issue was identified.

The sensitive nature of the BA data breach leaves victims immediately vulnerable to fraud, scams and identity theft. Victims are eligible to claim compensation if they have been affected by the breach, with eligible victims able to sign-up via the BA Group Action website here.

The BA data breach fine

The BA data breach fine was originally announced as an intention to fine them £183 million by the ICO. However, they have now deemed a much more minimal amount to be enough in the sum of £20 million. We assume that this means that the ICO believes this much smaller amount to be enough to have a dissuasive effect, although we are concerned at how much the fine has come down by. After investigation, the ICO concluded that BA should have identified the security weakness and put preventative measures in place, so this was a preventable incident either way.

It is likely that the fine may have been dramatically reduced due to the impact of the coronavirus pandemic, which has triggered a significant decline in services in the aviation industry. Some form of impact was to be expected, but the 90% drop in the BA data breach fine has raised significant concerns in terms of upholding important data protection laws, and how offenders are to be held accountable. Such a small fine threatens to undermine the power of the GDPR and may not act as a deterrent to big businesses who may not bother to put high data security measures in place when they could end up arguing for far smaller penalties.

Join the BA Group Action now

There’s still time to join the British Airways Group Action to claim compensation for the BA data breach. We have launched our data breach Group Action – if you have been affected, do not hesitate to start your claim here on the BA Group Action website now.

We currently represent claimants across 50 different multi-party and group actions and have years of experience in data breach cases. With fines for breaches facing drastic reductions, it is clear that compensation actions are the true way forward when it comes to justice for victims and accountability for offenders.

IMPORTANT: advice on this page is intended to be up-to-date for the 'first published date'.

Request a Callback from our team!

Fill out our quick call back form below and we’ll contact you when you’re ready to talk to us.
All fields marked * are required.

Your privacy is extremely important to us. Information on how we handle your data is in our Privacy Policy.
You have the right to object to the processing of your personal data.