DECISION SUMMARY
What happened
Between 21 June 2018 and 5 September 2018, an attacker compromised the British Airways website and mobile-app infrastructure and exfiltrated personal and payment-card data of approximately 429,000 customers and staff. The data exfiltrated included names, billing addresses, email addresses, payment-card numbers, card-expiry dates and card-verification values. The attack used a technique commonly referred to as "Magecart", in which malicious JavaScript is injected into a website's payment-page asset chain to intercept payment-card details as users enter them.
British Airways became aware of the breach on 5 September 2018 after being notified by a third party. The airline notified the ICO on 6 September 2018 and publicly disclosed the breach the same day. The ICO opened a formal investigation under Articles 32 (security of processing) and 33 (breach notification) GDPR. On 4 July 2019, the ICO issued a Notice of Intent to fine British Airways £183.39 million, approximately 1.5% of British Airways' 2017 worldwide turnover.
British Airways made extensive representations to the ICO between July 2019 and October 2020. The representations addressed the proportionality of the proposed fine relative to the gravity and duration of the infringement, mitigating factors including British Airways' remediation work, the impact of the COVID-19 pandemic on its financial position, and analogous fine levels in comparable breach cases. The ICO accepted these representations in part. On 16 October 2020 the ICO issued the final Monetary Penalty Notice in the amount of £20 million.
What the ICO found on security
The ICO's Article 32 analysis identified multiple security weaknesses that, in combination, fell below the appropriate technical and organisational measures standard required of a controller processing payment-card data at scale. The decision references specific shortcomings. First, there was no multi-factor authentication required for application-level access by privileged users, including for the Citrix remote-access environment through which the initial compromise was achieved. Second, network segmentation between systems holding different categories of personal data was inadequate, so a compromise in one environment provided lateral-movement access to others. Third, file-integrity monitoring on customer-facing infrastructure did not detect or alert on the injection of the malicious JavaScript despite the file modifications being significant and long-lived. Fourth, payment-card data was accessible to components of the infrastructure that did not require it for any business purpose.
The decision is careful to note that British Airways was not held to a standard of perfect security. Article 32 GDPR requires "appropriate" measures, taking into account the state of the art, the cost of implementation, the nature, scope, context and purposes of processing, and the risk to the rights and freedoms of natural persons. The ICO's analysis was that the measures BA had in place did not meet the appropriate standard for a payment-card processing environment serving millions of customers. The specific weaknesses identified were each addressable through controls that were industry-standard practice at the time (MFA for privileged access, network segmentation, file-integrity monitoring), at a cost proportionate to BA's scale.
The 89% reduction
The 89% reduction from Notice of Intent (£183M) to final decision (£20M) is the most-discussed feature of the case. The publicly available Penalty Notice does not provide a line-by-line breakdown of how the reduction was calculated, but it identifies several factors that contributed.
First, the ICO accepted that the original Notice of Intent had not appropriately weighted certain mitigating factors, including BA's prompt cooperation with the investigation, the immediate steps BA took to contain and remediate the breach, and the steps taken to assist affected customers. Second, the ICO accepted that the COVID-19 pandemic had materially affected BA's financial position and that a fine of the originally proposed scale would be disproportionate to BA's ability to pay without affecting its operational viability. The decision references the "effective, proportionate and dissuasive" principle in Article 83(1), noting that disproportionate fines can undermine the regulator's broader objectives. Third, the ICO recalibrated the gravity assessment given the absence of evidence of large-scale downstream fraud against affected customers.
The case has become a recurring reference point for controllers and counsel considering representations against ICO notices of intent. The 89% delta is at the high end of what has been achieved in published UK GDPR decisions, but subsequent decisions (Marriott, reduced from £99M to £18.4M, an 81% reduction) have shown that significant reductions are achievable where representations are substantive and address Article 83(1) proportionality directly.
What this means for security teams
For CISOs in regulated payment environments, the BA decision provides four concrete reference points. First, multi-factor authentication for privileged access is treated as an appropriate measure baseline; its absence is an aggravating factor in security-failure cases. Second, network segmentation between PCI and non-PCI environments (and between customer-facing and back-office systems) is similarly baseline. Third, file-integrity monitoring on payment-page asset chains should detect unauthorised JavaScript injection. Fourth, the principle of data minimisation (Article 5(1)(c)) requires that payment data should not be accessible to components that do not need it for a defined business purpose; the architectural breadth of access is itself an Article 32 risk.
For boards, the decision is a reminder that Article 32 fines for inadequate security are not contingent on intent or recklessness. Article 32 imposes an objective standard, and a controller can be fined for failing to meet that standard even where there is no evidence of bad faith. The defence against an Article 32 fine is documented, risk-proportionate, and regularly-tested security architecture, not after-the-fact remediation.