British Airways Faces Biggest Class-Action Suit Over Data Breach

Guardar
Engineers work on a 747-400
Engineers work on a 747-400 jumbo jet, manufactured by Boeing Co., operated by British Airways, a unit of International Consolidated Airlines Group SA, at Cotswold Airport in Cirencester, U.K., on Tuesday, Sept. 8, 2020. British Airways, the world's biggest operator of Boeing Co.747-400s, is retiring its entire fleet of the jumbo jets with immediate effect because of the damage the coronavirus has done to air travel. Photographer: Chris Ratcliffe/Bloomberg

(Bloomberg) -- British Airways Plc faces the largest privacy class-action lawsuit in U.K. history over its 2018 customer data breach.

More than 16,000 victims have now joined a case seeking compensation from the airline. They could claim 2,000 pounds ($2,724) each, according to PGMBM, the law firm representing the claimants.

“We trust companies like British Airways with our personal information and they have a duty to all of their customers and the public at large to take every possible step to keep it safe,” Tom Goodhead, a partner at PGMBM, said in an email. “In this instance, they presided over a monumental failure.”

IAG SA-owned BA revealed in September 2018 that a violation of its security systems compromised the personal and financial details of more than 400,000 customers. The carrier was fined 20 million pounds by the U.K. data protection watchdog last year, a fraction of a much heftier fine initially planned by the regulator.

The suit was filed in 2018, with a March 2021 deadline for more victims to join. The claimants’ lawyers say that if every victim of the cyberattack joined the claim, BA’s overall potential liability would be around 800 million pounds.

The U.K. Information Commissioners’ Office said its investigation into the cyberattack found that “the airline was processing a significant amount of personal data without adequate security measures in place,” exposing people’s data unnecessarily. The fine is the ICO’s biggest to date.

BA said in an emailed statement that it continues “to vigorously defend the litigation in respect of the claims brought arising out of the 2018 cyberattack.” It said it doesn’t “recognize the damages figures put forward, and they have not appeared in the claims​.”

At a case management hearing in November, BA told the court it was open to the possibility of entering into settlement discussions with the claimants, according to Goodhead. However, they haven’t yet received any proposals, he said. The next hearing is in February.

Guardar