Claims-harvesting legal firms are estimating that British Airways could pay out up to £2.4bn for a data breach in 2018 that affected 430,000 passengers.
They are currently recruiting claimants for a group action against the airline.
But a BA spokesperson says: “We do not recognise the damages figures put forward, and they have not appeared in the claims.”
Here’s what you need to know about the lawsuit.
What is the background?
In the summer of 2018, cyber-criminals accessed the personal data of 430,000 passengers. Most of them (58 per cent) had crucial details stolen.
The data comprised the passenger’s name, travel plans, billing address, email address and payment card details – including the three-digit security code (“card verification value,” or CVV) from the back of the card.
The remainder had their card numbers stolen, with 18 per cent of the total having their CVV hacked as well.
The affected travellers had bought flights on the ba.com website, through the British Airways app or with Avios, BA’s frequent-flyer scheme.
The Information Commissioner’s Office (ICO) reported: “Usernames and passwords of BA employee and administrator accounts as well as usernames and PINs of up to 612 BA Executive Club accounts were also potentially accessed."
The cyber attack was not spotted for two months, according to the ICO.
At the time, British Airways told those whose data was at risk: “We are very sorry that this criminal activity has occurred. We’ll reimburse our customers who have suffered financial losses as a direct result of the theft of their payment card details.
“As a precaution we recommend you contact your bank or card provider and follow their advice.”
The airline also offered free credit and identity monitoring services.
BA later said no evidence had emerged of fraudulent activity relating to the hack.
How did it happen?
As with banks, airlines tend to have “legacy” reservation systems that have their origins deep in the 20th century. While they have been continually updated, the structure is not as robust and defensible as newer IT systems.
Many other airlines have been affected by data breaches, including the giant US airline, Delta, and Cathay Pacific of Hong Kong. In the latter case, the personal data of 9.4m customers were accessed.
The ICO said the hack in part involved customers being diverted to a fraudulent site, BAways.com.
Its investigation found the airline was processing a significant amount of personal data “without adequate security measures in place”.
Investigators concluded: “This failure broke data protection law”.
Initially it appeared that BA faced a fine of £183m under the Data Protection Act, representing 1.5 per cent of BA’s global turnover in 2017. At the time it was the largest proposed penalty under new data regulations.
The airline and its parent company, IAG, announced an appeal. British Airways has now paid a penalty of £20m.
What is happening now?
Besides the ICO fine, British Airways also faces civil action. Lawyers are actively canvassing for claimants who say they incurred damages as a result of the hack.
PGMBM (a trading name of Excello Law Ltd), estimates claimants could get an average £2,000, with a bill for BA of £800m.
It has an online claim form in which applicants answer a string of questions, including: "Upon finding out that your personal information had been breached, did you experience any type of emotional distress? Anger, Annoyance, Anxiety, Frustration, Shock, Stress, Upset.”
Excello Law Ltd is lead solicitors in the group action.
Another firm, Your Lawyers, says it “estimates a potential total compensation pot of £2.4bn” on the basis of an average payout of £6,000 per person.
It asserts: “In cases where a psychological injury is extreme, victims of the hack could receive up to £16,000 each."
BA insists it does not recognises these figures. A spokesperson says: “We continue to vigorously defend the litigation in respect of the claims brought arising out of the 2018 cyber attack.”
What happens next?
The solicitors’ claim seeks damages for financial loss, including bank charges and fraud; and “distress and inconvenience” including from having to “change credit cards and change passwords to various online accounts.” It also says some claimants have been targeted by scam emails and may have seen their creditworthiness impacted.
A judge will determine “Whether the defendant [BA] is liable to the claimants, or any of them, for potential damages” for the breach – and, if so, who exactly is entitled to what.