skip to main page content
Twitter LinkedIn

The ICO takes its first GDPR bite

Friday, 12th July 2019

It has been widely reported this week that the Information Commissioners Office (ICO) has handed out its biggest penalty yet to a company for an information security breach.

British Airways (BA) has been fined a cool £183m by the ICO for its system security breach, which was disclosed in September last year and, under the new General Data Protection Regulation (GDPR), the ICO has also gone public with the notice.

In September, The Guardian reported the breach in an article the day after the news had first broken. At the time, BA thought that details of 380,000 transactions, including personal details such as credit card numbers, email addresses and home addresses, had been stolen from a period between June 2018 to August 2018.

Over a two-week period, BAs website and app had been diverted to a fraudulent website site where details of customers personal details were taken by the hackers. It turned out that the estimated number BA reported in September was far more, around 500,000.

At the time of the reported breach, BA issued a statement and said "The stolen data did not include travel or passport details. From 22.58 BST August 21 2018 until 21.45 BST September 5 2018 inclusive, the personal and financial details of customers making bookings on and the airline's app were compromised. The breach has been resolved and our website is working normally."

They also urged their customers to contact their banks and credit card providers to alert them that their details may have been compromised.

This is the biggest penalty to date that the ICO imposed. The next largest applied was on Facebook of £500,000 for its role in the Cambridge Analytica data scandal.

However, the ICO couldve slapped on a far greater fine to BA. It now has the power to penalise companies up to 4% of turnover, whereas £183m sounds a lot, it only represents 1.5% of BAs reported turnover.

Airline owner IAG has been quoted in an article this week published by the BBC as being "surprised and disappointed" by the penalty and they now have a chance to appeal against the ICOs penalty.

Obviously the multi-million-pound fine is big news but there is far more at stake for businesses should they experience a breach. For BA and many other companies hit by an information breach, apart from the knock to the companys accounts, there is potentially the immeasurable brand reputation damage and ongoing impact in the undermining of customer confidence in such a trustworthy brand.

The BBCs Technology Correspondent, Rory Cellan-Jones, said The message is clear - if you don't treat your customers' data with the utmost care expect severe punishment when things go wrong.

Dont think it won't happen to me. If you would like a chat about how secure your company data is, please do get in touch.

Communicate Technology PLC, established in 2011, is a specialist IT, telecoms and cyber security company providing a wide portfolio of services to clients across various industries within the UK and Europe.

A Financial Times’ Top 1000 Fastest Growth companies in Europe for three years running, their service offering has expanded over the years to accommodate client needs.

With a specialism in business parks and multi-tenant office spaces, Communicate use a fully managed nationwide network to ensure they can offer the highest level of performance and reliability. That, coupled with the company’s vastly experienced team, means that the end user has immediate access to experts, even if the client is unable to offer IT services in-house.

Communicate service clients across the UK from their multiple facilities, including their head quarters at Wynyard Business Park in Tees Valley, Leeds, Bedfordshire and Kent.