British Airways fined GBP 183.39 million


Date of enforcement action:
Jurisdiction: Fine imposed:
United Kingdom Flag for United Kingdom, which is the jurisdiction taking enforcement action GBP 183,390,000 (US$237,620,000)
Defendant company or entity: Industry segment:
British Airways plc Airlines /Transport /

Case summary

Following an extensive investigation the ICO has issued a notice of its intention to fine British Airways £183.39M for infringements of the General Data Protection Regulation (GDPR).

The proposed fine relates to a cyber incident notified to the ICO by British Airways in September 2018. This incident in part involved user traffic to the British Airways website being diverted to a fraudulent site. Through this false site, customer details were harvested by the attackers. Personal data of approximately 500,000 customers were compromised in this incident, which is believed to have begun in June 2018.

The ICO’s investigation has found that a variety of information was compromised by poor security arrangements at the company, including log in, payment card, and travel booking details as well name and address information.

Applicable legal provisions


Enforcement information

Enforcement authority: Type of enforcement action:
Information Commissioner's Office Flag for United Kingdom, which is the jurisdiction taking enforcement action Notice of intention
Subject to appeal?
Yes (Notice of intention is being appealed)

Cite this fine in your work

Data Privacy Fines Index. (2019-07-08 09:28) British Airways fined GBP 183.39 million. Retrieved from

Entry last updated: 2020-01-12 11:42 GMT.