Airlines must take action to ensure that sensitive passenger information is kept secure. But, for British Airways, customer privacy does not look like a priority after a series of data protection failures at the airline.
In 2018, poor IT infrastructure caused a data privacy violation in which almost 400,000 British Airways customers had their bank card details stolen. This case is now one of the most severe cyber-attacks in UK history. When investigating this breach, a second data breach was uncovered.
To make matters worse, in 2019 a vulnerability within British Airway’s e-ticketing system was also exposed. And, in 2021, British Airways warned that some of its executive club members’ information may have been put at risk after another cyber hack.
Following an investigation into the 2018 data breach, British Airways has been fined £20 million by the Information Commissioner’s Office (ICO). The fine reflects the number of people whose information was affected and the likely impact on them. But this payment will not be used to compensate victims. The only way to get justice for the BA data breach is to make a compensation claim.
At Keller Lenkner UK, we can take on your BA compensation claim on a NO-WIN, NO-FEE basis. What’s more, if you win your case, we guarantee that you will get 75% of the compensation awarded to you*
One of the most experienced multi-claimant law firms in the UK, our data breach specialists represent clients against large, well-funded companies. And, unlike some data breach solicitors, we have all the resources and expertise necessary to take on your case and win.
*If you win your case, you will get 75% of the compensation awarded to you AFTER all costs and fees have been deducted. So you will walk away with 75% of the compensation amount. There are no hidden fees or costs. If you lose your case, you will not have to pay a penny.
Almost 400,000 British Airways customers had their personal details and bank cards stolen in one of the most severe cyber-attacks in UK history. In response, the airline was issued a £20 million penalty by the Information Commissioner’s Office (ICO).
On 24 February 2021, SITA suffered a “highly sophisticated” attack on its IT systems. The SITA bookings and reservations system provides services to many airlines worldwide.
SITA is not British Airways’ booking and reservations system provider, and British Airways’ systems were not compromised in this attack. However, in an email to its Executive Cub members, British Airway warned that some of their information may have been put at risk in this cyber hack.
We are not currently pursuing a claim in relation to this breach.
The British Airways data breaches were able to happen as the airline failed to implement reasonable and robust security processes. So, claiming compensation isn’t just in your best interests. The only way organisations will be persuaded to take their responsibilities seriously is by taking strong and decisive action.
One of the most experienced multi-claimant law firms in the UK, our data breach specialists represent clients against large, well-funded companies. And, unlike some data breach lawyers, we have all the resources and expertise necessary to take on your case and win. So, why settle for less?
On 24 February 2021, SITA suffered a “highly sophisticated” attack on its IT systems. SITA stored passenger details on its servers, and some of that information may have been accessed. As a result, millions of passengers could now be compromised.
Find out more about making a group action claim for compensation against British Airways.
What does no-win, no-fee actually mean and are there really no costs if you appoint us?
See our answers to the FAQs we get asked about the British Airways Data Breach.
In 2018, poor IT infrastructure caused a data privacy violation in which almost 400,000 British Airways customers had their bank card details stolen. This case is now one of the most severe cyber-attacks in UK history.
When investigating the first data failure, a second data breach was also spotted at the airline. In this instance, 77,000 people had their names, addresses, email addresses and detailed payment information taken. The breach affected customers making reward bookings.
To make matters worse, in 2019 a vulnerability within British Airway’s e-ticketing system was also exposed.
All customers who booked flights online or via the app between 21 April 2018 and 28 July 2018 and/or 21 August 2018 and 5 September 2018 (using a debit or credit card) are affected and can make a British Airways data breach compensation claim with Keller Lenkner UK.
The customers who had their details stolen in the British Airways rewards bookings data breach can also join our data breach compensation claim.
According to reports in the media, a cyber-criminal operation known as Magecart is behind the British Airways data breach. The group has been very active over the past three years. It is also thought to be behind the Ticketmaster data hack.
A report by RiskIQ states that clues link the same operation to the British Airways breach. The company said the code found on the British Airways site was very similar. However, the code was modified to suit the way the airline’s website had been designed. Crucially, if RiskIQ, is right about how the attack worked, a cybersecurity researcher has told the BBC that “BA should have been able to see this”. So, the hack could have been very easily prevented.
Researchers at security firm Wandera uncovered unencrypted links within British Airways’s e-ticketing process. Furthermore, they have warned that this vulnerability means that attackers could easily intercept these links. This means that they could access and change the flight booking details and personal information of passengers.
The vulnerability with British Airways’s e-ticketing system may have also exposed the following sensitive passenger information:
To join our claim against British Airways, you need evidence that your data was involved in the data breach. British Airways should have emailed everyone involved in the violation, so if you still have that email, we can use that to start your claim.
However, in some cases, victims of the British Airways breach may not have received an email. For example, it might have gone into your spam folder and then been automatically deleted. If this is the case, you will need to provide alternative evidence*.
E.g. confirmation that proves that you booked flights online or via the British Airways app between 21 April 2018 and 28 July 2018 and/or 21 August 2018 and 5 September 2018 using a debit or credit card.
If you have not received confirmation about your involvement (or of you have lost this evidence), but suspect your information was breached, you can ask British Airways if you were put at risk. This is called making a subject access request (SAR).
In the UK, you can ask any organisation if your data was involved in a breach and a copy of this information should be provided free of charge. This is a legal right, and you can complain to the ICO if British Airways does not provide the information you have asked for.
The ICO has published a handy template for individuals who want to make a SAR.
As well as evidence that you purchased tickets from British Airways during the data breach periods, we will ask for:
Unfortunately yes, cybercriminals diverted some passengers to a fake website where hackers harvested further details. These could be used to commit further harm (e.g. in phishing attempts). Furthermore, because of this breach, many customers were forced to change their bank accounts or credit cards while others experienced theft, fraud, and emotional damage.
In 2020, the Information Commissioner’s Office (ICO) fined British Airways £20 million for failing to protect customer data. However, while the ICO has the power to impose hefty fines on organisations in breach of their duties it does not award compensation, so this money will not be given to victims of the breach. The only way to get British Airways data breach compensation is to make a claim.
According to reports in the media, a cyber-criminal operation known as Magecart is behind the British Airways data breach. The group is also thought to be behind the Ticketmaster data hack.
But while BA was the victim of a cyber-attack, the business or organisation responsible is the one who controlled your personal information if they intentionally, negligently or recklessly allowed it to be lost, leaked or hacked. So, in this case, BA is responsible.
We cannot say for sure, but according to various media reports, British Airways has shown willingness to settle these claims and avoid Court.
It is impossible to say precisely how much each person will be awarded – either via settlement or at Court. However, in our experience, and looking at similar cases, compensation of around £2,000 per claimant (on average) seems likely. In total, British Airways could be made to pay over £800 million in compensation if everyone affected by the breach joined the action.
According to various media reports, British Airways has shown willingness to settle these claims, and avoid Court. But this does not mean that a pay-out is imminent.
The Court-mandated deadline to join the BA action ends in June 2021, and it is unlikely that BA will make any settlement before then. Nevertheless, if your data was involved in the British Airways data breach, we encourage you to join the British Airways group action ASAP to ensure you do not miss out on your chance of compensation.
Our data protection lawyers are already gathering evidence to give our clients the best possible chance of success, and we are using the findings uncovered by the ICO to make the strongest possible case.
BA initially said that compensation claims would be discussed on an ‘individual basis’. However, it is not up to BA to dictate the terms of any compensation payments.
At Keller Lenkner Data Breach Solicitors, we are experts in data breach cases. And, once registered with us, it’s not uncommon that we uncover information that allows us to increase the value of your claim. What might seem irrelevant to you, could make a huge difference in the eyes of the law. That’s why it’s important not to be fobbed off by a low initial offer from BA. Instead, by making a no-win, no-fee claim with us, we can increase the amount of compensation you receive substantially.
If BA has contacted you to let you know that your data was involved in this data breach, you can sue for compensation. If you haven’t got an email from BA, but still think that you were involved in this breach, we ask that you provide:
Confirmation that, as far as you are aware, your card was not put at risk by another data breach.
To join our British Airways data breach group action compensation claim you need to register with us. Thousands of British Airways customers across the UK are seeking compensation for their losses and each claimant could get compensation of around £2,000.
The deadline to join the action ends in June 2021 so it is vital to sign up ASAP to ensure you do not miss out.
While each case is judged on its own merits, there are some things we would typically look for when it comes to when claiming compensation following a data breach, cybercrime or other GDPR violation:
With stolen data, cybercriminals can make purchases using your bank and credit cards, apply for credit in your name, set up fraudulent bank accounts and access your existing online accounts.
GDPR failures, cybercrime and data breaches can have a significant impact on you, both mentally and physically. They can cause or exacerbate anxiety, stress and other psychological conditions.
