BA faces possible £800m data breach claim

Claim would be the largest group action personal data claim in UK history

British Airways is facing a claim from victims of a data breach in 2018 which could result in a total fine of more than £800 million.

The breach saw credit card and personal data of more than 420,000 people stolen from BA's website and mobile app.

Following a 2019 High Court ruling that customers can claim compensation against the airline, more than 16,000 have so far responded to a notice by law firm PGMBM for ‘compensation for non-material damage' under the GDPR.

If successful, the compensation per claimant would likely be around £2,000, the law firm says, meaning that if 400,000 people claim, the total fine would be £800 million.

Partner at PGMBM Tom Goodhead said: "British Airways passengers feel let down by what transpired. They are well within their rights to be compensated for what was previously a trusted airline playing fast and loose with their personal information, leaving it vulnerable for nefarious hackers to take advantage of.

"We trust companies like British Airways with our personal information and they have a duty to all of their customers and the public at large to take every possible step to keep it safe. In this instance, they presided over a monumental failure."

However, BA rejected the premise of the claim. "We continue to vigorously defend the litigation in respect of the claims brought arising out of the 2018 cyber attack. We do not recognise the damages figures put forward, and they have not appeared in the claims."

BA has already been fined by the ICO for the breach, which was blamed on vulnerabilities in the company's website and app software that allowed Magecart hackers to harvest login details, PINs, payment card details, CVV numbers and passwords, and travel booking information as well names and addresses.

In view of the pandemic, the ICO reduced the fine from an estimated £183 million to just £20 million, a move which many felt undermined the authority of the regulator.

"The reduction of nearly 90 per cent means the question of whether the ICO has arrived at the right final figure may become immaterial. These headlines, and the perception of backtracking, could begin to undermine the credibility of the ICO, leading consumer groups and others to question its efficacy", commented Britt Endemann, co-head of data governance, technology solutions and forensics and IT, at Forensic Risk Alliance

The £800 million sum would make the forthcoming claim the largest group action personal data claim in UK history, however, it is unlikely that all the 400,000 people affected will join the claim.

Whatever the outcome, it's a salutary reminder that with the advent of GDPR and other more stringent data protection regulations, organisations cannot afford to be complacent.

"Preventative measures are simply not sufficient," said Clive Hamilton, UK managing director, at Orange Cyberdefense.

"The onus is on organisations to make sure they have done everything they can to protect customer data, applying ongoing monitoring of key systems and putting robust response procedures in place to minimise the impact should the worst happen and a breach occur. Failing to do so can have very extremely complex and costly consequences."