British Airways fined £20m for data breach that affected more than 400,000 customers

The Information Commissioner’s Office (ICO) has fined British Airways (BA) £20m for failing to protect the personal and financial details of more than 400,000 of its customers. In summary, between 22 June and 5 September 2018,  malicious actor gained access to an internal application of the company through the use of compromised credentials for a Citrix remote access gateway. After gaining access to the wider network, the attacker traversed across the network. This culminated in the editing of a Javascript file on BA’s website ( The edits made by the attacker were designed to enable the exfiltration of cardholder date from the website to an external third party domain ( which was controlled by the attacker. The date subjects affected by this breach were BA customers in the UK, in the EU and in the rest of the world.

BA was the controller of the personal data of its customers, within the meaning of section 6 of English Data Protection Act 2018 DPA and Article 4(7) GDPR, as it determined the purposes and means of the processing of the personal data. By , inter alia, collecting, recording, organizing , structuring and storing the personal data of its customers, BA was processing that data within the meaning of section 3(4) DPA and article 4(2) GDPR.

The Commissioner has found that BA failed to process the personal data of its customers in a manner that ensured appropriate security of the data including: protection against unauthorized or unlawful processing and against accidental loss, destruction or damage, using appropriate technical and organizational measures, as required by Article 5(1) (f) and by Article 32 GDPR.

The Commissioner has also found that, in all circumstances of the case and having regard to BA’s representations and the matters listed in article 83(I) and (2) GDPR, the infringements constitute a serious failure to comply with the GDPR and, accordingly, that the imposition of a penalty is appropriate. The amount of the penalty that the Commissioner decided to impose, having taken into account a range of mitigating factors and the impact of the Covid-19 pandemic, is £20m.

For further information or clarifications regarding GDPR , please contact S. Dionysiou & Partners LLC at / +357 22 272360.

Read more articles about GDPR here

(source: / photo:pixabay)


More Posts

Η εκτέλεση απόφασης μετά από 12 έτη από την έκδοσή της με άδεια δικαστηρίου σύμφωνα με τους νέους Κανονισμούς Πολιτικής Δικονομίας

του Γιώργου Καζολέα, δικηγόρου σε Dionysiou & Partners LLC To δικαίωμα του υπερ’ ου η εκτέλεση καταχώρισης αίτησης στο δικαστήριο για λήψη άδειας εκτέλεσης απόφασης,

Get in Touch

Seeking legal, business or immigration solutions in Cyprus? Contact us for a consultation.

Contact Info