British Airways data leak: ‘Now is the time for victims to be compensated’

Lawyers leading a group litigation on behalf of victims of a significant British Airways data breach have welcomed the decision and fine levied by the Information Commissioner’s Office, and say that now is the time for the half a million victims to be compensated.

British Airways revealed on 7 September 2018 that there had been a breach of its security systems leading to over 400,000 customers and staff having their personal data leaked, including names, debit and credit card numbers, addresses and email addresses.

In July 2019, the Information Commissioner's Office issued a notice of its intention to fine British Airways £183million for infringements of the General Data Protection Regulation (GDPR). However, the ICO last week confirmed that it had revised the fine down to £20million, having considered representations from BA and the impact of COVID-19 on the business.

Law firm PGMBM is leading the group litigation case against British Airways on behalf of victims. They have welcomed the news but state that it is time for BA to compensate those effected, which the ICO fine does not cover.

Harris Pogust, Partner at PGMBM, said: “Unfortunately Covid-19 has taken a significant toll on the airline industry and the move by the ICO to reduce BA’s fine should allow them to protect the business. However, it is now time for BA to compensate the victims.

“In their decision, the ICO sets forth in no uncertain terms that BA failed to take adequate measures to keep the vital personal and financial information of its customers secure. This information is now in the hands of those who would use it for what can only be seen as nefarious purposes.

“We wholeheartedly support those employees of BA who have suffered, as have millions of others, during these trying times. That being said, BA must still abide by the laws and cannot expose its customers to personal attacks by those who seek to cause them financial and emotional harm.

“We trust companies like British Airways with our personal information and they have a duty to all of their customers and the public at large to take every possible step to keep it safe. In this instance, they failed in that duty.”

The date breach saw hackers access personal information including names, addresses, payment card numbers and CVV numbers of BA customers, as well as usernames and passwords of BA employee and administrator accounts.

Under the EU General Data Protection Regulation (EU-GDPR), British Airways customers who have had their data compromised by this data breach have a right to compensation for non-material damage. This means compensation for inconvenience, distress, annoyance and loss of control of their personal data.

PGMBM represents 4,500 victims who have already joined the group action. The firm has set up a dedicated website to help victims at badatabreach.com.

How do I know if I am a victim?

Affected British Airways passengers received an email from the airline in 2018 notifying them that their data had been compromised likely with the subject line, Criminal Theft of Customer Data, more information.

Passengers may have to check their junk or spam email folders to find these important emails, as well as the relevant British Airways booking reference.

All affected customers from around the world can join the claim on a no-win, no-fee basis, whether the exposure of their personal data has led to significant ill effects or not, via badatabreach.com.

PGMBM is a specialist in international group litigation, and are the court-appointed leading law firm in the group litigation surrounding British Airways’ data breaches.

They are also leading a group action against easyJet related to a similar data breach revealed earlier this year. Over 15,000 victims have joined that claim, seeking compensation from easyJet after nine million customers’ personal data was compromised. Further information on that case can be found at theeasyjetclaim.com.