Case described as ‘largest group action personal data claim in UK history’
British Airways (BA) has reached an out-of-court settlement with the victims of a data breach that exposed personal data belonging to more than 420,000 customers.
Under the agreement with PGMBM, the court-appointed law firm representing victims, the airline will pay thousands of claimants an undisclosed sum. The resolution does not include any admission of liability on the part of the operator.
“This represents an extremely positive and timely solution for those affected by the data incident,” said PGMBM chairman Harris Pogust in a statement.
“The pace at which we have been able to resolve this process with British Airways has been particularly encouraging and demonstrates how seriously the legal system is taking mass data incidents.”
In response to a request for comment from The Daily Swig, British Airways said: “We apologised to customers who may have been affected by this issue and are pleased we've been able to settle the group action. When the issue arose we acted promptly to protect and inform our customers.”
The case centers on a Magecart-style hack of BA’s payment processing infrastructure that in 2018 diverted unsuspecting victims to a malicious website where names, debit and credit card details, postal addresses, and email addresses were harvested over a 15-day period.
Login credentials of BA employee and ‘Executive Club accounts were also potentially accessed.
In January, PGMBM said more than 16,000 victims had submitted compensation claims with four months left until the claims window closed, making it “the largest group action personal data claim in UK history”.
It estimated that “victim compensation could be up to £2,000 [$2,770] putting BA’s overall potential liability at around £800 million [$1.1 billion]”.
What would have been a record-breaking fine of £183 million [$253 million] for infringements of the General Data Protection Regulation (GDPR) was last year reduced to £20 million [$27.7 million] after the UK Information Commissioner’s Office (ICO) took into account the economic impact of Covid-19 on BA.
However, the sum is still the largest dished out by the ICO and the fourth biggest penalty levied by any European regulator since GDPR came into force in 2018.
‘Not good enough’
On a website set up to help victims claim compensation, PGMBM quoted several aggrieved victims saying that the incident had damaged their credit scores.
“The response from BA was not good enough,” said the firm. “BA offered a reimbursement for customers who suffered ‘direct financial losses’ and ‘credit rating monitoring’ for those affected, but did not consider the future repercussions that customers could suffer.”
It also criticized BA for failing to undertake inexpensive, technically simple security measures such as “rigorous testing”, protecting accounts with multi-factor authentication, or “limiting access to applications, data and tools to only those required to fulfill a user’s role”.
However, the firm acknowledged that BA has since “made considerable improvements to its IT security”.
Next up, easyJet
PGMBM is now inviting victims of an even bigger breach of another UK airline to submit compensation claims.
The firm has criticized operator easyJet for taking four months to notify the nine million victims of a data breach, first revealed in May 2020, involving full names, email addresses, and travel information.