We use cookies to allow us and selected partners to improve your experience and our advertising. By continuing to browse you consent to our use of cookies. You can understand more and change your cookies preferences here.


When you click on a retailer link on our site, we may earn affiliate commission to help fund our not-for-profit mission.Find out more.

16 Oct 2020

British Airways issued with £20m data breach fine - but victims won't get compensation

Which? calls for a clearer route to redress for data breach victims
British Airways plane at stand

The Information Commissioner's Office (ICO) has fined British Airways (BA) £20m for its data breach in 2018, which involved the personal and financial details of 400,000 customers. But victims won't see a penny.

The ICO found the airline broke data protection law by processing a significant amount of personal data without adequate security measures.

ICO investigators found that BA should have identified and resolved these weaknesses with security measures that were available at the time.

Fines might deter firms from neglecting their cybersecurity again, but that's little reassurance for victims who often go on to experience fraudulent activity.

Which? is calling on changes to the General Data Protection Regulation (GDPR) law to make it easier for consumers to seek compensation after a breach.

Be more money savvy

Get a firmer grip on your finances with the expert tips in our Money newsletter – it's free weekly.

This newsletter delivers free money-related content, along with other information about Which? Group products and services. Unsubscribe whenever you want. Your data will be processed in accordance with our Privacy policy

Data breach fines: how are they calculated and where does the money go?

Under GDPR, which came into force in 2018, the ICO can impose a maximum fine equivalent to u20ac20m or 4% of a company's global turnover, whichever is higher, for a data breach.

The ICO, however, is yet to issue one of these larger GDPR-era fines.

It did announce its intention to fine BA £183m last year for the 2018 breach, but the fine issued only amounts to £20m. It also announced its intention to fine Marriott just under £100m after the hotel chain lost 339 million guest records, but this fine is yet to be finalised and issued.

The ICO determines a fine by looking at the scale of the breach and how long the organisation took to report it.

The fines go to the UK Treasury, rather than to affected consumers.

'The government should provide a much clearer route to redress'

A Which? survey of 1,369 members in July 2020 found that 23% of people have had their data compromised following a cyberattack on a company or organisation.

And 46% of those members later experienced fraudulent activity.

Despite consumers' exposure to fraud following a breach, it's not easy to secure compensation for any financial loss or distress suffered after an attack.

Under the current system, consumers have to bring court claims themselves and it can be difficult to prove distress was caused by a specific breach.

Which? believes that consumers should have easy access to effective redress and is calling on the government to implement Article 80(2) GDPR.

This would allow not-for-profit organisations such as Which? to bring collective redress actions on behalf of people on an 'opt-out' basis without those consumers each having to bring an individual case against the company involved.

Kate Bevan, Which? Computing editor, said: 'It's good to see the Information Commissioner sending a clear message to companies that it's unacceptable to play fast and loose with people's personal data. However, our research suggests British Airways still has serious vulnerabilities on its websites that are leaving customers potentially exposed to opportunistic cybercriminals.

'Some customers will also be frustrated where they've suffered financially and emotionally from this data breach and had no redress. The government should provide a much clearer route by allowing for an opt-out collective redress regime that deals with mass data breaches.'

How to protect yourself and your data

Whether we're booking a holiday or shopping online, we hand over our data to companies on a weekly (or even daily) basis.

Here are some tips on how to protect yourself and your data from a cyberattack:

  • Passwords Always set strong passwords for your accounts and use a different password/email combination for every account.
  • Password manager Many services now alert you if your passwords have been compromised. As services such as LastPass and Dashlane can be used for free, there's no reason not to use a password manager.
  • Two factor/multi-factor authentication (2FA/MFA) 2FA/MFA is worth activating to increase security if it's available, particularly if your account holds your financial information.
  • Be wary of fraudulent texts, calls and emails Always be cautious if a company requests personal or sensitive information from you, particularly after a breach. Report anything suspicious to Action Fraud.
  • Sign up to Cifas protective registration If you do fall victim to a breach, Cifas' service (£25 for two years) means banks and financial companies will take extra steps if they see your details being used to apply for products and services.