The GDPR compensation lawyers have wasted little time in pouncing on British Airways following last week’s data breach, with SPG Law – the UK division of US law firm Sanders Phillips Grossman – launching a £500m group action against the airline.
BA admitted on Friday that nearly 400,000 customers’ personal and financial information had been compromised in what is understood to be one of the first incidents where full bank card details have been exposed.
Within hours, SPG Law launched the group action citing the fact that the airline had failed to offer financial compensation to individuals affected by the data breach for the inconvenience, distress and misuse of their private information.
Although BA has offered to compensate individuals for direct financial losses, it has not agreed to pay compensation for “non-material damage” despite being liable to do so under GDPR and the Data Protection Act 2018.
SPG Law partner Tom Goodhead said: “Unfortunately, this is the latest in a number of catastrophic failures in BA’s IT systems. Unlike previous failures, however, this data breach has caused serious inconvenience and distress to nearly 400,000 people.
“BA are liable to compensate for non-material damage under the Data Protection Act 2018 and SPG Law will hold them to account.”
SPG Law estimates that each affected person may be able to claim up to £1,250 in compensation, potentially costing the airline £475m. It believes that a significant aggravating factor will be that all affected persons’ credit card details were current at the time of the breach.
SPG Law has sent a “letter before action” to BA inviting the airline to begin settlement discussions. The letter further states that should BA not seek to settle with SPG Law’s clients, SPG Law will apply for a “group litigation order”, in order to allow the courts to manage a large number of similar claims together.
It was reported at the weekend that BA was warned earlier this year that it was vulnerable to hackers but the airline insists the breach was the result of a “very sophisticated, malicious criminal attack on our website”.
As far back as March 2017, Irish Data Protection Commissioner Helen Dixon claimed GDPR could trigger a tsunami of legal action.
British Airways grovels as 380,000 hit by data breach
Brace yourselves for the GDPR data ambulance chasers
Companies face data breach class action bloodbath
Firms face bombardment of data requests under GDPR
GDPR compensation to dwarf £30bn bill for PPI claims