Willie Walsh faces uphill battle in fighting €205m data breach fine

London Briefing: BA has dubious distinction of first to be fined under new GDPR rules

"Surprised and disappointed" probably weren't the very first words that sprang to Willie Walsh's mind when he heard British Airways was to be hit with a whopping £183 million (€205 million) fine for last year's data breach.

After all, the company pointed out, it was a victim too, having been the target of a criminal act to steal its customers’ data. The breach included customer names, addresses, logins and travel information, which was harvested by the hackers who diverted customers to a fraudulent website.

In its defence, BA said it had responded swiftly to the hack, which affected half a million of its customers and occurred between April and September last year. The company stressed that it has since found no evidence of fraudulent activity on accounts linked to the data theft.

But the Information Commissioner’s Office (ICO), which imposed the fine on Monday, was having none of it. Explaining the severity of the sanction, it said that during the course of its investigation it had found “a variety of information was compromised by poor security arrangements at the company”.


The information commissioner, Elizabeth Denham, laid down the law to BA: "When you are entrusted with personal data you must look after it. Those that don't will face scrutiny from my office to check they have taken appropriate steps to protect fundamental privacy rights."

Marriott hack

True to her word, just 24 hours later, the ICO slapped a near-£100 million fine on the hotels group Marriott International, which suffered a massive global hack last autumn in which records of 339 million guests were stolen.

The hotel group’s vulnerability to a cyber attack started when the systems of Starwood hotels were compromised in 2014, two years before the chain was taken over by Marriott.

The exposure of customer information included about 30 million guest records released to residents of 31 countries in the European Economic Area, with seven million related to UK residents, but was not discovered until 2018. Information stolen included passport and credit card details, addresses and dates of birth.

Denham said Marriott had not carried out sufficient due diligence when making the Starwood acquisition and repeated that the ICO “will not hesitate to take strong action when necessary to protect the rights of the public”.

Both BA and Marriott will contest the fines. The pugnacious Walsh, head of BA and Aer Lingus-owner International Airlines Group, will certainly put up a fight, declaring that all appropriate steps will be taken "to defend the airline's position vigorously".

He may have an uphill battle defending BA on this one, however. Gone are the days when the likes of Facebook was fined a mere £500,000 – the maximum then allowed – for its part in the Cambridge Analytica data-sharing scandal.

Dating back to 2015, Facebook's transgression was not covered by the extensive new powers the information watchdog has under the EU-wide General Data Protection Regulation (GDPR), which came into effect in May last year.

It is now able to impose penalties that really will hit companies hard and the bigger the company, the bigger the potential fine, up to a maximum of 4 per cent of annual worldwide turnover.

BA has the dubious distinction of being the first to be fined for breaches under the new GDPR and, although Walsh probably doesn’t agree, it could be argued that the airline got off lightly, as its fine is equivalent to only about 1.5 per cent of its £12 billion turnover.

The ICO is clearly flexing its muscles – under the old rules last year, it issued total penalties of little more than £3 million. The treatment meted out to BA and Marriott this week has put paid to any hopes that the regulator might ease the business world into the tough new regime by raising its fines incrementally over a period of time.

Both companies are suitably high-profile targets to make an early example of, ensuring maximum publicity for the tough new cybersecurity rules. They are likely to be followed by further household-name offenders in the weeks and months ahead as the ICO hammers the message home.

Any board that hasn’t already moved to tighten up its data protection systems will surely have been prodded into action by the prospect of similar draconian penalties.

Appeals from both companies will be heard, and it’s possible their fines could be reduced. On the other hand, the regulator will be keen to demonstrate that it is at last a watchdog with some teeth.

Fiona Walsh is business editor of theguardian.com