Featured News

BA data breach fine a ‘wake-up call’ for ticketing providers

A record £183m (€200/$225m) fine that has been slapped on British Airways by the Information Commissioner’s Office (ICO) for a security breach should serve as a “wake-up call” for ticketing technology providers, according to an expert in data protection law.

Raj Shah, an associate in the commercial team at legal firm Collyer Bristow, told TheTicketingBusiness.com today (Tuesday) that sanctions of a similar magnitude are likely to be levied by the ICO in the future. The latest fine is easily the largest single penalty imposed on any organisation so far by the ICO, which until recently was restricted to fines of up to £500,000.

The fine represents about 1.5% of British Airways’ annual sales in 2017, with the maximum fine having been increased to 4% of turnover since the introduction of GDPR, the European Union-wide data protection regulations, in May 2018.

“It should serve as a wake-up call for technology companies across the country, including those in the ticketing industry processing large volumes of personal data, that data protection and security obligations are ongoing and did not stop when the GDPR came into force last year,” Shah told TheTicketingBusiness.com.

“This will almost certainly not be the last fine of this level to be handed down by the ICO, so ticketing organisations should undertake regular audits to ensure compliance and maintain procedures that can be readily mobilised in the event of a personal data breach.

“This fine shows that the ICO takes its regulatory responsibilities seriously and that it expects businesses to work hard to comply with the updated data protection regime.”

The airline, which is owned by IAG, said it was “surprised and disappointed” by the fine imposed for the breach, which occurred last year when hackers carried out what was described as a “sophisticated, malicious, criminal attack” on the BA website. The personal data of about 500,000 customers was compromised, with the watchdog saying that hackers took advantage of “poor” security provisions.

IAG chief executive Willie Walsh has said that an appeal is being considered.