£183m fine to land on British Airways

After waiting patiently for the UK Information Commissioners Office (ICO) to start the big fines process under GDPR, and expecting the first to be Facebook or similar, British Airways have beaten everybody else to the gate.


The UK Information Commissioners office is proposing to fine British airways £183m for their lapse in security in 2018. This breach saw over 500,000 passengers detail stolen off their online booking system.

The irony here is that it is possible that if BA had picked up on this problem early, they may have reported this prior to GDPR coming into force on the 25th May 2018. We currently have a start date from IAG of April 21st 2018 for the compromise, but maybe the penalty notice that will be issued by the ICO will provide some guidance on this point.

Poor Security Controls

The notice from the ICO clearly indicates that security controls within BA where not up to their liking. The fact that rogue code had been injected into their website without anyone noticing for months most probably had a lot to do with that.

BA are still wheeling out the old and well-trodden “we were the victims of a sophisticated criminal act” type statements.

GDPR maximum fine

The reporting of the fine however has got a few things wrong. Yes, GDPR is complicated in terms of its scope, but the fine structure and scope is quite clear in terms of BA, or should I say IAG.

Article 83 sets out the maximum fines permissible under GDPR. 2% for minor mess ups, 4% for the proper mess ups. However, both maximums relate to the “undertakings” global turnover. Aka Global revenues.

The undertaking in this instance is very clear. BA is part of a group of airlines known as IAG. IAG exerts control over all of its child companies, even reporting as a group. So, in this case, the undertaking is IAG and the maximum fine under Article 83 of the GDPR would be 4% of IAG global revenues, not just those of BA.

This dumbs down the 1.5% of the maximum fine number being reported, to a much more respectable 0.8%. In other words, BA will be fined about 20% of the maximum fine available to the ICO, under Article 83 of the GDPR. (0.8% verses 4%).

BA looks to appeal the fine

BA look like they want to appeal, and we will see what happens over the next few weeks. The question we need to be asking, rather than is £183m fair and is it too big a number, is:

Is 20% of the maximum fine truly consistent and a like for like reflection of previous fines under the DPA98?

From the outside, this seems reasonable, but we simply do not have the facts of the failings in BA, that resulted in this assessment. What will be interesting to see is whether the ICO will come up with a completely new scoring system as a result of this first challenged case. Sticking with the old scoring system is likely to produce big fines for big companies. It can be argued that this is exactly what the GDPR was brought in to do.

What does this mean for everyone else?

To put £183m into context, it is roughly 50% greater than the quarterly profit number released by IAG most recently.

The broader implications of this are already being felt. Companies are looking on in amazement at the scale of this fine, and then comparing it to the size of their IT budgets. It is highly likely that this fine is greater than BA’s annual IT budget.

If nothing else, it makes the GDPR a board level issue again, after a year of relative quiet.