British Airways fined $229 million under GDPR for data breach tied to Magecart

GDPR fines are getting real.
british airways gdpr fine

Britain’s data protection watchdog says it will fine British Airways £183.39 million ($229.2 million) for security weaknesses that made it possible for hackers to steal information about roughly 500,000 customers.

The U.K. Information Commissioner’s Office said Monday it would fine the airline for violating the European Union’s General Data Protection Regulation. By exploiting weaknesses in British Airways’ site last year, a hacking group known as Magecart was able to collect customer payment card numbers, travel booking details and other sensitive data. The fine would be the largest issued yet under GDPR, surpassing the €50 million levied by French regulators on Google.

“When an organization fails to protect [personal data] from loss, damage or theft it is more than an inconvenience,” U.K. Information Commissioner Elizabeth Denham said in a statement. “That’s why the law is clear – if you are entrusted with personal data you must look after it. Those that don’t will face scrutiny from my office to check they have taken appropriate steps to protect fundamental privacy rights.”

The proposed fine would constitute 1.5 percent of British Airways’ 2017 revenue. The ICO has yet to publicly release a list of British Airways violations, saying only “poor security arrangements” made the breach possible.


GDPR authorizes regulators to issue penalties of up to 4 percent of companies’ annual revenue or £17.9 million ($22.5 million), whichever is greater. The specific criteria explaining the size of each fine is explained in the regulation.

British Airways, which is owned by International Airlines Group, said it plans to fight the decision. The company disclosed the breach in September. The ICO suggested the hack began in June.

The hack on British Airways was one of the first highly publicized data breaches blamed on the Magecart credit scammers. “Magecart” refers to a hacking technique favored by at least 12 separate groups that inject code into highly trafficked websites, like travel and e-commerce pages, to quietly collect credit and debit card information. Thieves also have hit Ticketmaster, alcohol seller BevMo, homegoods giant OXO and a range of other targets.

Jeff Stone

Written by Jeff Stone

Jeff Stone is the editor-in-chief of CyberScoop, with a special interest in cybercrime, disinformation and the U.S. justice system. He previously worked as an editor at the Wall Street Journal, and covered technology policy for sites including the Christian Science Monitor and the International Business Times.

Latest Podcasts