British Airways faces the largest privacy class-action lawsuit in UK history over its 2018 customer data breach.
More than 16,000 victims have now joined a case seeking compensation from the airline. They could claim £2,000 each, according to PGMBM, the law firm representing the claimants.
“We trust companies like British Airways with our personal information and they have a duty to all of their customers and the public at large to take every possible step to keep it safe,” Tom Goodhead, a partner at PGMBM, said in an email. “In this instance they presided over a monumental failure.”
IAG-owned BA revealed in September 2018 that a violation of its security systems compromised the personal and financial details of more than 400,000 customers. The carrier was fined £20 million by the UK data protection watchdog last year, a fraction of a much heftier fine initially planned by the regulator.
The suit was filed in 2018, with a March 2021 deadline for more victims to join. The claimants’ lawyers say that if every victim of the cyberattack joined the claim, BA’s overall potential liability would be around £800 million.
The UK Information Commissioners’ Office said its investigation into the cyberattack found that “the airline was processing a significant amount of personal data without adequate security measures in place”, exposing people’s data unnecessarily. The fine is the ICO’s biggest to date.
BA said in an emailed statement that it continues “to vigorously defend the litigation in respect of the claims brought arising out of the 2018 cyberattack”.
It said it does not “recognise the damages figures put forward, and they have not appeared in the claims”.
At a case management hearing in November, BA told the court it was open to the possibility of entering into settlement discussions with the claimants, according to Mr Goodhead. However, they haven’t yet received any proposals, he said.
The next hearing is in February.