British Airways has finally agreed to cough up compensation to thousands of customers affected by the 2018 data breach, according to the lead legal firm on case which claims the litigation has been resolved on confidential terms, following mediation between representatives for affected claimants and BA.
The case follows one of the most notorious data breaches in history, when BA revealed in September 2018 that its security systems had been hacked, leading to over 420,000 customers and staff having their personal data leaked.
Having self-reported the incident to the UK Information Commissioner’s Office, the resultant investigation found the breach in part involved user traffic to the BA website being diverted to a fraudulent site. It also discovered a variety of information was compromised by poor security arrangements, including log in, payment card, and travel booking details as well name and address information.
The regulator then issued a “notice of intent” on July 8 2019 to fine the airline £183m; in October last year, it was announced that BA had secured a reduction of nearly 90% to £20m.
A team from PGMBM, led by legal director Tony Winterburn and associate Michael Burke, filed a claim on behalf of those affected in April 2020. They have welcomed the settlement, which resolves the largest group litigation order relating to personal data in UK history to date.
The resolution does not include any admission of liability by BA but it does include provision for compensation for qualifying claimants who were part of the litigation. Although it is not known how much they have secured, at one stage the law firm was claiming that customers could be entitled to up to £6,000 each.
PGMBM chairman Harris Pogust said: “We are pleased to have come to a resolution on this matter after constructive mediation with BA. This represents an extremely positive and timely solution for those affected by the data incident.
“The ICO laid out how BA did not take adequate measures to keep its passengers’ personal and financial information secure. However, this did not provide redress to those affected. This settlement now addresses that.”
Today’s announcement closes the group litigation brought on behalf of claimants under GDPR related to that incident, which sought compensation for non-material damage – inconvenience, distress, annoyance and loss of control of their personal data.
Pogust added: “The pace at which we have been able to resolve this process with British Airways has been particularly encouraging and demonstrates how seriously the legal system is taking mass data incidents.”
PGMBM is also gunning for EasyJet after it admitted in 2020 that the personal data of 9 million customers had been compromised, and the credit card details of just over 2,200 had been stolen. The hack attack dwarfed the BA incident.
Pogust concluded: “This is a very positive sign as we look ahead to what will be an even bigger case against EasyJet, as well as other similar international actions.”
Related stories
Lawyers launch TV blitz to woo claimants for BA action
Virgin Media customers urged to join data breach action
BA ‘humiliates’ ICO by slashing £183m fine to £20m
Dentists bare teeth against BDA in breach legal action
Google faces £2bn GDPR class action over kids’ privacy
TalkTalk customers seek payout for double data breach
Law firm pounces on EasyJet breach with £18bn claim
Over 10,000 customers join EasyJet data breach action
Lawyers given 15 months to build BA breach legal case