As a couple of folk posted earlier in the thread, we will most likely never to get to know the full story behind this breach. But we do know that BA fully intends to appeal, as allowed by this section of the official press release issued by the ICO : “The company will now have opportunity to make representations to the ICO as to the proposed findings and sanction”

Can anyone say whether the content of such ‘representations’ is made available for public consumption in these scenarios ? The GPDR legislation itself is still fairly new, is it not, so perhaps not too many precedents ? There was a major data breach involving TalkTalk a while back, IIRC.