The ICO fines BA £20m whilst the travel sector is in a crisis - too harsh?

by Helen Naylor, October 2020

Get In Touch

It could have been so much worse…

BA has been fined £20m by the ICO for a cyber-attack that took place in 2018. Following the incident, hackers were able to gather BA customers’ personal information, including bank details, for two months before the breach was discovered.

Initially, the ICO said it intended to issue an eye-watering £183m fine but it took into account the economic impact of COVID-19. Still, £20m is the largest fine issued by the ICO and is the result of increased powers to fine higher amounts following the introduction of the Data Protection Act 2018 and the GDPR.

What can we learn from BA?

  1. Preventable - BA failed to install sufficient, and readily available, security measures to prevent the hack
  2. Delay to detection - BA demonstrably didn’t have sufficient checks in place to detect the breach for two months

We have highlighted a 10-point GDPR checklist to get you started here but compliance is ongoing. Despite the fine not being as high as anticipated, BA will no doubt still feel the pinch. Here's the full story if you'd like to read more. 

Please get in touch by email at if you'd like more tips or advice about your compliance processes. 

Twitter Instagram YouTube LinkedIn Facebook Google + WhatsApp Link Email icnUpArrow Right Arrow Down Arrow Left Arrow Search Checkbox Check Close Map Pin Shopping Bag