The UK’s Information Commissioner Office (ICO) has levied a record-breaking £183.39 million (€204.62 million) GDPR fine on British Airways for failing to protect customers’ financial and personal data following a cyber-attack on its website last year.


The Information Commissioner’s Office (ICO) said that, following a “thorough investigation” into the incident, it has been decided to whack the airline with a hefty £183.39m penalty, representing 1.5% of British Airway’s worldwide revenue in 2017.


While being less than the maximum GDPR fine of 4%, this is the biggest penalty handed out under the GDPR to date; previously the largest was €50 million GDPR fine to Google issued by the Franc’s Data Protection Office (CNIL) for data transparency breach.


The ICO noted that its investigation found that the personal data of approximately half-a-million British Airways customers was compromised in the breach, due to “poor security arrangements” at the company. This data included names and addresses, log-in details, travel booking information and payment card details – including the number, expiry date and three-digit security code.


Announcing her intention to impose the fine under GDPR Information Commissioner Elizabeth Denham said: “People’s personal data is just that – personal. When an organisation fails to protect it from loss, damage or theft it is more than an inconvenience.”


“That is why the law is clear – when you are entrusted with personal data you must look after it. Those that do not will face scrutiny from my office to check they have taken appropriate steps to protect fundamental privacy rights.”


Source Information Commissioner’s Office (ICO) United Kingdom.