Fine of around 205 million euros for inadequate safety measures

The UK’s Information Commissioner’s Office (ICO) today announced that it has fined British Airways £183.39 million for failing to take sufficient measures to protect personal data. Last year, approximately 500,000 users of British Airways’ website were redirected by hackers to their own website, allowing them to obtain information including booking details, names, address details and credit card information. In the view of the supervisory authority, this was made possible by inadequate security measures taken by the airline. The latter has announced that it will appeal the fine.

The fine might have been significantly higher if British Airways had not cooperated extensively with the authority and improved its own security measures. In any case, such behavior has led German regulators to reduce fines in the past.

Regardless of the outcome of the further proceedings, the ICO’s decision is in line with the already observed practice of imposing heavy fines, in particular for violations of the provisions of the GDPR to ensure the security of personal data. Their importance in practice can therefore hardly be overestimated. On the other hand, those who, as data controllers, neglect the security of personal data out of disinterest or even for cost reasons will expose themselves to the risk of high fines in the future. In addition to these fines, there are other risks, such as reputational risks or the risk of further regulatory measures, such as the (temporary) prohibition of individual processing operations.”