British Airways is facing a £183 million fine from the Information Commissioner’s Office (ICO) for failing to protect the personal data of over 500,000 customers last year. The compromised information included customer log in and payment card details, names and addresses as well as travel booking information.


Information Commissioner Elizabeth Denham said, "People's personal data is just that - personal. When an organisation fails to protect it from loss, damage or theft, it is more than an inconvenience. That's why the law is clear - when you are entrusted with personal data, you must look after it. Those that don't will face scrutiny from my office to check they have taken appropriate steps to protect fundamental privacy rights."


Under the GDPR regulation brought in from May 2018, organisations can be fined up to 4% of their annual turnover for data breaches. The proposed £183 million fine by ICO amounts to 1.5% of the airline’s 2017 turnover. 


In response to the ICO’s statement of intent, Alex Cruz CEO of British Airways said,


"We are surprised and disappointed in this initial finding from the ICO. British Airways responded quickly to a criminal act to steal customers' data. We have found no evidence of fraud/fraudulent activity on accounts linked to the theft. We apologise to our customers for any inconvenience this event caused."


The airline has 28 days to appeal the decision and Willie Walsh, chief executive of its parent company IAG has confirmed the airline will be making representations and any necessary appeals to the ICO in relation to the proposed fine. 


If you would like some with your company's GDPR compliance or to book a free initial consultation worth £499 email