British Airways faces 20 million EUR GDPR fine after a data breach

British Airways faces 20 million EUR GDPR fine after a data breach

ICO, the UK data protection authority fines British Airlines a record 20 million EUR (GBP 183 million) over last years data breach.

A Criminal group named Magecart injected javascript in the BA Website checkout to capture personal data. Magecart illegally received data from August 21st 2018 to September 5th 2018.

They stole data from about 500.000 users including

• login information
• credit card data
• travel booking details
• names
• addresses

After announcing the fine, the Information Commissioner Elizabeth Denham said that the loss of personal data “is more than an inconvenience”.

Earlier a fine of 200 Million GBP was considered. The fine for BA would amount to 1.5% of its 2017 revenue.

British Airways has 28 days to appeal the ruling before its made final.

Sources:

https://ico.org.uk/about-the-ico/news-and-events/news-and-blogs/2019/07/ico-announces-intention-to-fine-british-airways/

https://www.theverge.com/2019/7/8/20685830/british-airways-data-breach-fine-information-commissioners-office-gdpr

https://ico.org.uk/about-the-ico/news-and-events/news-and-blogs/2020/10/ico-fines-british-airways-20m-for-data-breach-affecting-more-than-400-000-customers/

Update

The fine was lowered by the data protection authority. Instead of 200 million euro, the company has to pay “only” 22.5 million euro.

Source: https://ico.org.uk/action-weve-taken/enforcement/british-airways/

Entscheidungsdatum:
16.10.2020

Land:
United Kingdom

Art des Verstoßes:
Theft of Data

Betroffene Datensätze:
500000

Waren sensible Daten betroffen?:
Yes

verhängte Geldstrafe:
€ 22,428,000,-

Quelle:
ICO