On 16 October 2020 the Information Commissioner’s Office announced that it had imposed on British Airways the biggest ever penalty in the UK for breach of data protection law.
The penalty is the culmination of a two-year investigation by the ICO into a cyber-attack on British Airways’ systems in 2018, which affected the personal data of over 400,000 of its customers. The ICO’s investigation identified a number of weaknesses in BA’s cyber-security measures, which were found to have allowed the attack to take place. The ICO also found that BA failed to detect the attack for several weeks, until it was alerted to the exfiltration of personal data from its systems by a third party. The ICO concluded that BA’s failures cumulatively amounted to a serious breach of the requirement to take appropriate measures against unauthorised or unlawful processing, contrary to Articles 5(1)(f) and 32 of the GDPR.
The final penalty, of £20m, was calculated from a starting point of £30m, with downward adjustments to take into account mitigating factors including BA’s prompt reporting of the breach and cooperation with the ICO, and a further discount of £4m having regard to the economic consequences of the Covid-19 pandemic.
The ICO was acting as “lead supervisory authority” on behalf of other EU regulators, meaning that the decision had to be submitted for approval by all other EU data protection authorities, in accordance with Article 60 GDPR.
The ICO’s decision has been widely reported on, including by the BBC, Financial Times, The Times, The Telegraph and The Guardian, as well as the Register and other specialist tech and data publications. A copy of the penalty notice and decision is available here.
Gerry Facenna QC, Julianne Kerr Morrison and Khatija Hafesji advised the Information Commissioner’s Office throughout the investigation, Article 60 process, and the final penalty decision.