British Airways set to be fined £183m over data breach

Starting in June 2018, a cyber-attack on the British Airways website involved users being diverted to a fraudulent website which stole their details. 

Customers' payment card details were "compromised" as a result of the attack, as well as login, travel booking, name and address details.

The Information Commissioner's Office (ICO) says the data was compromised as a result of "poor security arrangements" from British Airways, and plans to fine the company under the Data Protection Act.

The fine of £183.39 million represents 1.5% of the airline's worldwide annual turnover for the financial year ending on 31 December 2017.

British Airways reported the incident to the ICO in September 2018, and since then has co-operated with its investigation and improved security. It will be able to appeal the fine before the ICO makes its final decision, and British Airways' parent company, International Airlines Group, says it will "defend the airline's position vigorously". 

See our 30+ Ways to Stop Scams guide for information on keeping your data safe. 

'People's personal data is just that – personal'

Information commissioner Elizabeth Denham said: "People's personal data is just that – personal. When an organisation fails to protect it from loss, damage or theft it is more than an inconvenience.

"That's why the law is clear – when you are entrusted with personal data you must look after it. Those that don't will face scrutiny from my office to check they have taken appropriate steps to protect fundamental privacy rights."

What does British Airways say? 

Alex Cruz, British Airways chairman and chief executive, said: "We are surprised and disappointed in this initial finding from the ICO. British Airways responded quickly to a criminal act to steal customers' data. We have found no evidence of fraud/fraudulent activity on accounts linked to the theft.

"We apologise to our customers for any inconvenience this event caused."