British Airways
Issued by Information Commissioner's Office (ICO) on 2020-10-16
What happened
The ICO fined British Airways £20 million (approx. €22M) after a data breach exposed personal data of approximately 400,000 customers. Attackers used a card-skimming attack (Magecart) on BA's website and mobile app, diverting customer payment details to a fraudulent website. The ICO found that BA should have identified and resolved the vulnerabilities that made the attack possible.
Articles violated
Lessons learned
Organizations must implement appropriate technical measures to protect payment data, including Content Security Policy headers, Subresource Integrity checks, and regular security testing. Web application security must be continuously monitored for unauthorized changes. The fine was reduced from an initial £183M due to BA's cooperation and the economic impact of COVID-19.
Source
View original decisionDisclaimer: This summary is for informational purposes only and does not constitute legal advice. Refer to the original decision for complete details.
Get enforcement alerts for Aviation
We track GDPR fines across Europe. Enter your email to get notified about new enforcement actions.