British Airways expects the £183m fine for breaching data rules to be written down by almost 90pc.
The Information Commissioner’s Office (ICO) signaled its intention to fine the airline in July last year after hundreds of thousands of customers’ financial and personal details were stolen during a cyber attack in 2018.
The ICO said the airline was compromised by “poor security arrangements” when it unveiled the penalty – one of the first of its kind following the introduction of the GDPR rules.
BA expects the fine to be reduced considerably from its original sum, according to a statement included in the interim results of parent company IAG on Friday. IAG said there had been an exceptional expense of €22m (£20.1m) set aside in relation to the “theft of customer data at British Airways in 2018”.
The company said it was management’s “best estimate” of the amount of “any penalty issued by the ICO”. The process was “ongoing” and that no final penalty notice had been issued, IAG added.
Judy Krieg, privacy partner at law firm Field Fisher, said the figure did not “come out of thin air”.
“The remaining conclusion is that this number must be based on the negotiations with the ICO,” she said.
“The final amount of the fine is still a question mark. But this is a strong indication that it will be far less than the £183.4m suggested barely more than a year ago.”
Edward Machin at Ropes & Gray said the figure “buried” in the results gave a “tantalising insight” into the amount BA could be required to pay.
An ICO spokesperson said: “The regulatory process is ongoing and we will not be commenting until it has concluded.”
BA declined to comment.
Under GDPR rules, companies are obliged to inform the ICO of a cyber breach that affects personal data. Businesses can be fined up to 4pc of their annual turnover.
In October 2018, the ICO fined Facebook £500,000 for its role in the Cambridge Analytica data scandal, although it did not admit any liability.