As has been discussed within our industry since the announcement of GDPR and the associated fines - we can finally see what the implications of a large-scale data breach mean for the organisation in question. It's interesting to see what percentage of worldwide annual turnover the fine represents (1.5% or £183mil in this case, vs the 4% maximum, or £488mil) - what we don't yet know if how this figure was reached as a reflection of system security, breach handling etc.
The ICO's position is that BA didn't take sufficient steps to protect data, BA's response is that they acted quickly once the breach was detected, no fraudulent activity on the impacted accounts has been observed, and have pushed back with an appeal immediately.
I, with everyone else, will be watching this one closely to see what can be learned and applied elsewhere.
British Airways data breach: Airline fined £183m after customers’ credit card details stolen