British Airways suffered a mammoth breach of its security systems back in 2018. It led to over 420,000 customers and staff having their personal data leaked, including names, debit and credit card numbers, addresses and email addresses. Under the EU General Data Protection Regulation (EU-GDPR), British Airways customers who had their personal information compromised by this breach have a right to compensation for non-material damage – inconvenience, distress, annoyance and loss of control of their personal data.
Eighteen months on, more than 420,000 affected passengers could be eligible to claim £2,000 in compensation each. Law firm PGMBM, the lead solicitors in the group litigation case against BA on behalf of victims, unveiled the figures this morning. They have dubbed it “the largest group-action personal data claim in UK history.” More than 16,000 potential victims and counting have so far signed up to join at the dedicated website badatabreach.com. PGMBM estimate BA’s overall potential liability to be around £800million if everyone claims their £2,000.
Tom Goodhead, Partner at PGMBM, said: “British Airways passengers feel let down by what transpired. “They are well within their rights to be compensated for what was previously a trusted airline playing fast and loose with their personal information, leaving it vulnerable for nefarious hackers to take advantage of.
“We trust companies like British Airways with our personal information and they have a duty to all of their customers and the public at large to take every possible step to keep it safe. In this instance, they presided over a monumental failure.” Goodhead has said it is now time for the victims to be compensated, despite the “toll” covid has taken on the airline industry.
How to know if you’re a victim of the BA data breach
You know you’re a victim if you received an email from British Airways in 2018 notifying you that your data had been compromised. The email is likely to have had the subject line, ‘Criminal Theft of Customer Data, more information’. Passengers may have to check their junk or spam email folders to find the email, as well as their relevant British Airways booking reference. If a passenger cannot find the email but are sure they received it, they can still get in touch with PGMBM to sign a statement of truth. All affected customers from around the world can join the claim on a no-win, no-fee basis,
whether the exposure of their personal data has led to significant ill effects or not, via badatabreach.com.
According to Goodhead, BA denies liability, but it is important to maintain progress on the fight for the victims. In October 2020, BA was fined £20 million over the 2018 data hack. Investigators from the Information Commissioner’s Office (ICO) found the airline should have identified the security weaknesses which enabled the attack to take place. The carrier failed to protect the personal and financial details of more than 400,000 customers,
the ICO said. The ICO added that British Airways did not detect the hack for more than two months. Goodhead said today: “At the Case Management Conference in November 2020, British Airways informed the High Court that it was open to the possibility of entering into settlement discussions
with the Claimants. “We have not yet received any settlement proposals from BA and, until such time as any are received, we will continue to progress the litigation, including at the upcoming Costs and Case Management Conference in the High Court in February.”
A British Airways spokeswoman told Express.co.uk: “We continue to vigorously defend the litigation in respect of the claims brought arising out of the 2018 cyber attack. “We do not recognise the damages figures put forward, and they have not appeared in the claims.”
James Castro-Edwards, partner at Wedlake Bell LLP and Head of leading outsourced data protection service, ProDPO, also shared his insight into the case: “Businesses that handle personal information should already be aware of the General Data Protection Regulation, or GDPR, and the risk of substantial fines if they fail to comply,” he said. “However, they are probably less familiar with the risk of group litigation claims that can
potentially follow a breach of the GDPR.
“Developments in case law mean that individuals who have suffered financial loss or are distressed as a result of a data breach may claim compensation from the breached company. “Individual claims may not be particularly high, but if a large number of people seek
compensation, the overall total could be substantial.” Edwards added: “Organisations that handle personal information about their customers, staff or suppliers must ensure they do so in accordance with the GDPR or they risk not only fines, but potentially enormous compensation claims.”
This was originally published by the Daily Express 0n 13/01/2021