British Airways faces £183m GDPR fine over hack, four times Google’s GDPR fine

Credit: ID 77016213 © Yevhenii Volchenkov |

British Airways (BA) could be slugged with a £183 million (AU$328m) fine over a data breach it disclosed in September 2018, months after the EU’s new GDOR privacy laws allowed regulators to impose fines of up to four percent of an organization’s global annual revenues.

BA in September disclosed a breach that it said at the time affected around 380,000 card payments due to a flaw in its website. The cards were affected between 21 August and 5 September, it said.  

UK privacy regulator the Information Commissioner’s Office (ICO) today said that customers visiting BA’s website were redirected to a fraudulent website where they entered payment card data that was harvested by attackers. 

The ICO estimated that around 500,000 customers were compromised in this incident and noted that it was believed to have begun in June 2018, or two months prior to the time BA originally said. 

BA, owned by IAG, said it was “surprised and disappointed” at the ICO’s proposed fine, which amounts to 1.5 percent of the airline’s 2017 worldwide revenues. BA intends to appeal the proposed fine.