British Airways faces class action
iStock/polybutmono

British Airways faces class action

BA said on 7 September that “criminal activity” had led to customers’ personal and financial data being compromised; the airline has emailed 380,000 customers about the breach, which affected bookings made between 21 August and 5 September. The airline added that passport and travel details had not been affected and has vowed to reimburse any financial loss the breach may cause.

Law firm SPG Law said on 9 September that it is seeking compensation for non-material damages caused by the breach. Sean Humber, a partner at claimant-side law firm Leigh Day, told GDR the firm has also been approached by BA customers affected by the leak and will be writing to the airline.

According to SPG, the affected customers may be able to claim up to £1,250 (€1,396) each in compensation. SPG consultant Nigel Taylor told GDR that affected customers could expect to receive at least £750 (€841), based on previous cases.

This means BA could be facing a compensation payout of between £285 million (€320 million) and £475 million (€533 million).

SPG Law, which is the recently established UK arm of US class action outfit Sanders Phillips Grossman, said in the statement that it has sent BA a letter before action inviting the airline to begin settlement discussions. If BA chooses not to settle, the law firm will apply for a group litigation order.

SPG said a significant aggravating factor is the fact that the compromised credit card details were current at the time of the breach. The firm said it has launched the group action following “BA’s failure to offer financial compensation to individuals affected by the data breach for the inconvenience, distress and misuse of their private information.”

“Although BA has offered to compensate individuals for direct financial losses, it has not agreed to pay compensation for non-material damage” despite being liable to do so under UK data protection legislation, the firm said.

BA has said it continues to investigate the incident with the police and cybersecurity specialists, and has reported it to the UK Information Commissioner’s Office​. The ICO said on Friday that it was aware of the incident and is “making enquiries”; the UK’s National Crime Agency has said that officers from its National Cyber Crime Unit are “managing the ongoing investigation and are on site working with BA to gain a better understanding of the incident”.

Leigh Day partner Sean Humber told GDR that “on the face of it” there is evidence BA has violated article 32 of the GDPR, which requires data controllers to implement appropriate technical and organisational measures to keep data secure.

“It is hard to see how BA had an adequate security system if it allowed that information to be hacked,” he said, adding that there could be claims for breach of confidence and misuse of personal information.

He added that the fact that financial information was included in the breach makes the case “more serious”, increasing the the level of distress and inconvenience for customers, as well as their susceptibility to fraud.

SPG Law’s US sister law firms have launched successful claims in some of the country’s largest data breach cases, against companies including Yahoo!, Wendy’s, Target and Anthem.

Counsel to the class

SPG Law

Partner Tom Goodhead in Liverpool