Close this search box.

British Airways Suffers $328m GDPR Fine for Data Breach


British Airways is to be fined more than £183m ($328m AUD) by the Information Commissioner’s Office after hackers stole the personal data of half a million of the airline’s customers.

Gridware CEO, Ahmed Khanji said “The fine is the first the ICO has proposed under the new General Data Protection Regulation (GDPR).”

The ICO said its extensive investigation found that the incident involved customer details including login, payment card, name, address and travel booking information being harvested after being diverted to a fraudulent website.

The ICO said that data breach, which began in June 2018, occurred because British Airways had “poor security arrangements” in place to protect customer information being accessed.

“People’s personal data is just that – personal,” said the information commissioner, Elizabeth Denham. “When an organisation fails to protect it from loss, damage or theft it is more than an inconvenience. The law is clear, when you are entrusted with personal data you must look after it. Those that don’t will face scrutiny from my office to check they have taken appropriate steps to protect fundamental privacy rights.”

The £183.4m fine amounts to about 1.5% of British Airways’ £11.6bn worldwide turnover last year.

“We are surprised and disappointed in this initial finding from the ICO,” said Alex Cruz, the chair and chief executive of British Airways. “British Airways responded quickly to a criminal act to steal customers’ data. We have found no evidence of fraud/fraudulent activity on accounts linked to the theft. We apologise to our customers for any inconvenience this event caused.”

British Airways, which has since bolstered its web security, can appeal against the findings and scale of the fine before a final decision by the ICO.

“British Airways will be making representations to the ICO in relation to the proposed fine,” said Willie Walsh, the chief executive of BA’s parent company, International Airlines Group (IAG). “We intend to take all appropriate steps to defend the airline’s position vigorously, including making any necessary appeals.”

George Salmon, an analyst at Hargreaves Lansdown financial service company, said the fine would make a “pretty big dent” in IAG’s financial performance.

“The fine serves as a reminder that while one might think of data risks as more relevant to the likes of Google, Facebook and other tech giants, the new rules cover any business with customer data on board,” he said.

“£183m will make a pretty big dent in next year’s numbers, but IAG should be able to withstand its impact as it is less than 10% of expected net profits and could yet be reduced on appeal.”

The fine comes the same day the airline begins talks with its pilots in an effort to avert a potentially damaging summer strike.

Pilots have rejected a pay increase worth 11.5% over three years, which the airline says is “fair and generous”. However, the British Airline Pilots’ Association (Balpa), which represents about 90% of BA’s pilots, says its members deserve a better deal because the airline is making considerable profits.

Last year, BA made an operating profit of £1.96bn, up almost 12% year on year. IAG made a €3.5bn (£3.1bn) pre-tax profit last year, up almost 10% year on year. IAG made €1.3bn in dividend pay outs to investors last year.

Ahmed Khanji

Ahmed Khanji

Ahmed Khanji is the CEO of Gridware, a leading cybersecurity consultancy based in Sydney, Australia. An emerging thought leader in cybersecurity, Ahmed is an Adjunct Professor at Western Sydney University and regularly contributes to cybersecurity conversations in Australia. As well as his extensive background as a security advisor to large Australian Enterprises, he is a regular keynote speaker and guest lecturer on offensive cybersecurity topics and blockchain.


Sydney Offices
Level 12, Suite 6
189 Kent Street
Sydney NSW 2000
1300 211 235

Melbourne Offices
Level 13, 114 William Street
Melbourne, VIC 3000
1300 211 235

Perth Offices
Level 32, 152 St Georges Terrace
Perth WA 6000
1300 211 235


Learn more about the team at the forefront of the Australian Cyber Security scene.

About Us →

Meet the Team →

Partnerships →

Learn more about the team at the forefront of the Australian Cyber Security scene.

Career Opportunities →

Internships →

Media appearances and contributions by Gridware and our staff.

See More →



Whether you need us to take care of security for you, respond to incidents, or provide consulting advice, we help you stay protected.

View all services →

Web App Pen. Test Calculator →

Network Pen. Test Calculator →

Governance & Audit

Legal and regulatory protection

Penetration Testing

Uncover system vulnerabilities

Remote Working & Phishing

Fortify your defenses

Cyber Security Strategy

Adaptation to evolving threats

Cloud & Infrastructure

Secure cloud computing solutions

Gridware 360

End-to-end security suite

Gridware Managed Services

Comprehensive & proactive security

Gridware CloudControl

Harness the benefits of cloud technology

Gridware Incident Response 24/7

Swift, expert-led incident resolution



A collection of our published insights, whitepapers, customer success stories and more.

Customer success stories from real Gridware customers. Find out how we have helped others stay on top of their Cyber Security.

Read More →