British Airways faces $228M fine over data theft

British Airways is facing a fine worth about $228 million over a breach that compromised personal data of about 500,000 customers last year.

Continue Reading Below

The U.K. Information Commissioner’s Office (ICO) said this week it intends to fine the airline 183.39 million pounds for alleged infringements of the General Data Protection Regulation — a European Union law setting rules for data privacy that went into effect last year.

Some users on the British Airways website were diverted to a fraudulent site, where attackers harvested customer details, according to the ICO. Officials believe the attack began in June 2018, and British Airways reported it to the ICO in September.

The ICO claimed “poor security arrangements” at British Airways compromised the customers’ information, including logins, payment cards, travel booking details and names and addresses.

“People’s personal data is just that – personal. When an organization fails to protect it from loss, damage or theft it is more than an inconvenience,” U.K. Information Commissioner Elizabeth Denham said. “That’s why the law is clear – when you are entrusted with personal data you must look after it.”

In a statement released through the London Stock Exchange, British Airways chairman and CEO Alex Cruz said the airline was “surprised and disappointed” by the ICO’s findings.

“British Airways responded quickly to a criminal act to steal customers’ data,” he said. “We have found no evidence of fraud/fraudulent activity on accounts linked to the theft.”

The ICO noted the airline cooperated with its investigation and has made security improvements since learning about the data breach.

“We apologize to our customers for any inconvenience this event caused,” Cruz said.

The proposed fine is equal to 1.5 percent of British Airways’ 2017 revenue, officials said.


Willie Walsh, CEO of British Airways' parent company International Airlines Group, said the airline intends to make a case against the fine.

“We intend to take all appropriate steps to defend the airline’s position vigorously, including making any necessary appeals,” he said.