British Airways has been threatened with a fine of up to £ 183 million for a GDPR violation. If imposed, this will be the highest sanction for a GDPR violation if it were deposited.

The British Supervisory Authority is considering the imposition of a fine regarding the cyber incident reported by British Airways in September 2018. The British Supervisory Authority deems that the incident occurred on June 2018, 3 months before its notification.

According to an official statement published by the British Supervisory Authority, the British Airways website has been compromised, where customers have been redirected to a fraudulent site where attackers collected multiple customer data, such as login passwords, credit card information, names, surnames, addresses etc. It can be assumed that this false page has violated the privacy of about half a million customers (!).

As violations for the right to protection of personal data relates to all European Union citizens, the supervisory authorities of other member states may also comment on the incident. Likewise, British Airways itself may still influence the final decision of the British Supervisory Authority in the proceedings. Apart from the level of the sanction itself, the above example confirms that cyber-attacks are becoming an everyday aspect of ordinary life and affect many natural persons. For this reason, it is appropriate not to underestimate our own cyber protection and thus take adequate measures in the field of cybersecurity.