August 14, 2022

Volume XII, Number 226


August 12, 2022

Subscribe to Latest Legal News and Analysis

August 11, 2022

Subscribe to Latest Legal News and Analysis

ICO Issues Record £20 Million Fine To British Airways

The UK Information Commissioner’s Office (ICO) has fined British Airways £20 million, the ICO’s largest fine to date, for failing to protect the personal and financial details of more than 400,000 of its customers.

In a statement published online on 16 October 2020, the ICO stated that its investigation had found that British Airways was “processing a significant amount of personal data without adequate security measures in place”. This failure is said to have breached data protection laws and, subsequently, the airline was the subject of a cyberattack in 2018, which was not detected for more than two months.

The cyberattack in 2018 involved user traffic to the airline’s website being diverted to a fraudulent website, where the personal data of approximately 429,612 customers and staff was harvested, which included names, addresses, payment card numbers and CVV numbers.

The ICO’s investigation found that the airline ought to have identified and resolved “weaknesses” in its security, and that addressing these security issues would have prevented the 2018 cyberattack. In particular, the ICO noted that British Airways could have used a number of security measures to mitigate or prevent the attack, including:

  • limiting access to applications, data and tools to only that which are required to fulfil a user’s role;

  • undertaking rigorous testing on the business’ systems; and

  • protecting employee and third party accounts with multi-factor authentication.

Although the ICO had planned to fine the airline nearly £184 million in its notice of intention last year, the reduced penalty is in light of British Airways improving its security systems since the attack as well as the impacts of COVID-19 on the airline industry.

We have seen a number of data breaches recently where personal data of large customer bases has been compromised. They demonstrate that simple security measures, such as administrative controls and multi-factor authentication, can be your best defence in preventing future cyberattacks (and large fines!).

Copyright 2022 K & L GatesNational Law Review, Volume X, Number 293

About this Author

Cameron Abbott, Technology, Attorney, Australia, corporate, KL Gates Law Firm

Mr. Abbott is a corporate lawyer who focuses on technology, telecommunications and broadcasting transactions. He assists corporations and vendors in managing their technology requirements and contracts, particularly large outsourcing and technology procurements issues including licensing terms for SAP and Oracle and major system integration transactions.

Mr. Abbott partners with his clients to ensure market leading solutions are implemented in to their businesses. He concentrates on managing and negotiating complex technology solutions, which...

Rebecca Gill Commercial Technology and Sourcing Lawyer Melbourne K&L Gates

Ms. Gill is a lawyer in our Corporate and Transactional team at the Melbourne office.

Primary Practice

Commercial Technology and Sourcing


  • J.D., Melbourne School of Law University of Melbourne, 2018
  • B.A., University of Melbourne, 2014
  • Certificate I in Vocational Preparation, Australian Employment and Training Solutions, 2014