fbpx

British Airways Data Breach Compensation Claims 

British Airways has been fined £20 million for a 2018 data breach.  But this money won't compensate victims. Our group actions can help.

Get justice for the British Airways data breaches

 

Airlines must take action to ensure that sensitive passenger information is kept secure. But, for British Airways, customer privacy does not look like a priority after a series of data protection failures at the airline.

In 2018, poor IT infrastructure caused a data privacy violation in which almost 400,000 British Airways customers had their bank card details stolen. This case is now one of the most severe cyber-attacks in UK history. When investigating this breach, a second data breach was uncovered. 

To make matters worse, in 2019 a vulnerability within British Airway’s e-ticketing system was also exposed. And, in 2021, British Airways warned that some of its executive club members’ information may have been put at risk after another cyber hack.

Following an investigation into the 2018 data breach, British Airways has been fined £20 million by the Information Commissioner’s Office (ICO). The fine reflects the number of people whose information was affected and the likely impact on them. But this payment will not be used to compensate victims. The only way to get justice for the BA data breach is to make a compensation claim.

 

We are no longer accepting any new clients to this action.

British Airways Data Breaches

 

British Airways Data Breach (2018): booking website and app

 

Almost 400,000 British Airways customers had their personal details and bank cards stolen in one of the most severe cyber-attacks in UK history. In response, the airline was issued a £20 million penalty by the Information Commissioner’s Office (ICO).

British Airways Data Breach (2018): reward bookings

 
When investigating the first data failure, a second data breach was also spotted at the airline. In this instance, 77,000 people had their names, addresses, email addresses and detailed payment information taken. The breach affected customers making reward bookings.
 

British Airways Data Breach (2019): e-ticketing system

 
Security researchers uncovered unencrypted links within BA’s e-ticketing process. The vulnerability may have also exposed sensitive passenger information such as email addresses, names, phone numbers and more.
 
 

SITA data breach (2021)

 

On 24 February 2021, SITA suffered a “highly sophisticated” attack on its IT systems. The SITA bookings and reservations system provides services to many airlines worldwide.

SITA is not British Airways’ booking and reservations system provider, and British Airways’ systems were not compromised in this attack. However, in an email to its Executive Cub members, British Airway warned that some of their information may have been put at risk in this cyber hack.

 

 

Why claim data breach compensation?

Hold British Airways to account for failing to protect your private information.

Receive financial compensation for your losses.

Force airlines to implement better data security.

Holding British Airways to account

The British Airways data breaches were able to happen as the airline failed to implement reasonable and robust security processes. So, claiming compensation isn’t just in your best interests. The only way organisations will be persuaded to take their responsibilities seriously is by taking strong and decisive action.

JOIN THE KELLER LENKNER UK DATA BREACH GROUP ACTION TO GET THE JUSTICE YOU DESERVE.

Talk to our expert data breach lawyers today on 0151 459 5850

British Airways Data Breach Timeline

  • 21st August 2018 – 5th September 2018
    British Airway's systems are compromised in a huge cyber-attack.
  • September 6th 2018
    British Airways announces that it has detected the theft of customer data from its website and mobile app in a (now deleted) tweet.
  • September 7th 2018
    Various media reports claim that about “380,000 transactions are affected, but that the stolen data did not include travel or password details.” British Airways admits that payment card numbers, expiry dates, and CVV security codes were affected by the breach.
  • September 7th 2018
    Online bank Monzo proactively cancels affected customer’s cards and issues replacements.
  • September 11th 2018
    A RiskIQ report suggests that MageCart was involved in the data breach. This is the cyber criminal organisation thought to be behind the Ticketmaster data hack. Crucially, if RiskIQ, is right about how the attack worked, according to a cybersecurity researcher “BA should have been able to see this”.
  • October 25th 2018
    A second data breach is uncovered at British Airways. An additional 185,000 transactions are found to have been compromised between April and July 2018. As such, the number of affected people increases from 380,000 to 429,000.
  • July 8th 2019
    The ICO releases a statement on its “intent to fine” British Airways a staggering £183.39 million for the data breach.
  • August 2019
    Researchers uncover unencrypted links within British Airway’s e-ticketing process.
  • October 4th 2019
    British Airways customers are given the green light to bring compensation claims against the airline over the data breach.
  • October 16th 2019
    The ICO fines British Airways £20 million. The reduced fine was issued after the airline made representations to the ICO. The impact of COVID-19 was also taken into account by the ICO. 
  • February 2021
    The date to join the British Airways data breach group action is extended to 3rd June 2021.
  • April 2021
    As the deadline to join this case approaches, Keller Lenkner issues a final call to anyone who wants to register for BA data breach compensation.

Latest News

WHAT IS A GROUP ACTION?

 

Find out more about making a group action claim for compensation against British Airways.

WHAT DOES NO-WIN, NO-FEE MEAN?

 

What does no-win, no-fee actually mean and are there really no costs if you appoint us?

Why use Keller Lenkner UK to make a claim?

We are one of the most experienced multi-claimant law firms in the UK.

Our GDPR, data breach and cybercrime specialists have a combined experience of over 50 years.

We represent clients in group actions and individual cases with innovation, resources, and expertise.

We work with expert barristers to ensure you get the very best level of legal support available.

We have all the resources and global expertise necessary to take on complicated cases and win.

We have offices in Chancery Lane, London and Liverpool City Centre, and the technology to provide a nationwide service.

We use technology to deliver a better legal experience to our clients.

We work on a no-win, no-fee basis.

We make the process straightforward and hassle-free.

JOIN OUR NO-WIN, NO-FEE BRITISH AIRWAYS GROUP ACTION

Your questions answered

 

See our answers to the FAQs we get asked about the British Airways Data Breach.

FAQs about the British Airways data breaches

What happened in the 2018 BA data breaches?

In 2018, poor IT infrastructure caused a data privacy violation in which almost 400,000 British Airways customers had their bank card details stolen. This case is now one of the most severe cyber-attacks in UK history.

When investigating the first data failure, a second data breach was also spotted at the airline. In this instance, 77,000 people had their names, addresses, email addresses and detailed payment information taken. The breach affected customers making reward bookings.

To make matters worse, in 2019 a vulnerability within British Airway’s e-ticketing system was also exposed.

Who can make a claim for the 2018 data breach?

All customers who booked flights online or via the app between 21 April 2018 and 28 July 2018 and/or 21 August 2018 and 5 September 2018 (using a debit or credit card) are affected and can make a British Airways data breach compensation claim with Keller Lenkner UK.

The customers who had their details stolen in the British Airways rewards bookings data breach can also join our data breach compensation claim.

We are no longer accepting any new clients to this action.

 

How did the 2018 data breach happen?

According to reports in the media, a cyber-criminal operation known as Magecart is behind the British Airways data breach. The group has been very active over the past three years. It is also thought to be behind the Ticketmaster data hack.

A report by RiskIQ states that clues link the same operation to the British Airways breach. The company said the code found on the British Airways site was very similar. However, the code was modified to suit the way the airline’s website had been designed. Crucially, if RiskIQ, is right about how the attack worked, a cybersecurity researcher has told the BBC that “BA should have been able to see this”. So, the hack could have been very easily prevented.

What happened in the 2019 BA Data Breach?

Researchers at security firm Wandera uncovered unencrypted links within British Airways’s e-ticketing process. Furthermore, they have warned that this vulnerability means that attackers could easily intercept these links. This means that they could access and change the flight booking details and personal information of passengers.

The vulnerability with British Airways’s e-ticketing system may have also exposed the following sensitive passenger information:

  • Email addresses
  • Phone numbers
  • Membership numbers
  • First and last names
  • Booking references, itineraries, flight numbers, flight times, seat numbers and baggage allowances.

 

Who was affected by the 2019 BA e-ticketing data breach?
It is estimated that 2.5 million connections were made to the affected BA domains in just six months. So, the potential impact is thought to be “significant.”
How do I know if my details were involved in a BA data breach?

To join our claim against British Airways, you need evidence that your data was involved in the data breach. British Airways should have emailed everyone involved in the violation, so if you still have that email, we can use that to start your claim.

However, in some cases, victims of the British Airways breach may not have received an email. For example, it might have gone into your spam folder and then been automatically deleted. If this is the case, you will need to provide alternative evidence*.

E.g. confirmation that proves that you booked flights online or via the British Airways app between 21 April 2018 and 28 July 2018 and/or 21 August 2018 and 5 September 2018 using a debit or credit card.

How can I get evidence that British Airways breached my data?

If you have not received confirmation about your involvement (or of you have lost this evidence), but suspect your information was breached, you can ask British Airways if you were put at risk. This is called making a subject access request (SAR).

In the UK, you can ask any organisation if your data was involved in a breach and a copy of this information should be provided free of charge. This is a legal right, and you can complain to the ICO if British Airways does not provide the information you have asked for.

The ICO has published a handy template for individuals who want to make a SAR.

What other evidence will you ask for?

As well as evidence that you purchased tickets from British Airways during the data breach periods, we will ask for:

  • Evidence of any fraudulent transactions/attempts/alerts/cancelled cards that relate specifically to the card you used to purchase the tickets. Although you do not need this to claim.
  • Evidence of any emotional distress suffered because of this breach. Although you do not need this to claim.
  • Confirmation that, as far as you are aware, your card was not put at risk by another data breach.
Am I at risk if British Airways breached my data?

Unfortunately yes, cybercriminals diverted some passengers to a fake website where hackers harvested further details. These could be used to commit further harm (e.g. in phishing attempts). Furthermore, because of this breach, many customers were forced to change their bank accounts or credit cards while others experienced theft, fraud, and emotional damage.

Will victims of the data breach get some of the ICO fine?

In 2020, the Information Commissioner’s Office (ICO) fined British Airways £20 million for failing to protect customer data. However, while the ICO has the power to impose hefty fines on organisations in breach of their duties it does not award compensation, so this money will not be given to victims of the breach. The only way to get British Airways data breach compensation is to make a claim.

Who is responsible for the data breach?

According to reports in the media, a cyber-criminal operation known as Magecart is behind the British Airways data breach. The group is also thought to be behind the Ticketmaster data hack.

But while BA was the victim of a cyber-attack, the business or organisation responsible is the one who controlled your personal information if they intentionally, negligently or recklessly allowed it to be lost, leaked or hacked. So, in this case, BA is responsible.

Is this claim likely to be successful?

We cannot say for sure, but according to various media reports, British Airways has shown willingness to settle these claims and avoid Court.

Can I sue BA for the data breach?

If BA has contacted you to let you know that your data was involved in this data breach, you can sue for compensation. If you haven’t got an email from BA, but still think that you were involved in this breach, we ask that you provide:

  1. Evidence that you purchased tickets from BA on or between 21 April 2018 and 28 July 2018 and/or 21 August 2018 and 5 September 2018.
  2. Evidence of any fraudulent transactions/attempts/alerts/cancelled cards that relate specifically to the card you used to purchase tickets from BA.

Confirmation that, as far as you are aware, your card was not put at risk by another data breach.

We are no longer accepting any new clients to this action.

How do I make a data breach claim?

We are no longer accepting any new clients to this action.

What can you claim for?

While each case is judged on its own merits, there are some things we would typically look for when it comes to when claiming compensation following a data breach, cybercrime or other GDPR violation:

Financial loses

With stolen data, cybercriminals can make purchases using your bank and credit cards, apply for credit in your name, set up fraudulent bank accounts and access your existing online accounts.

Distress

GDPR failures, cybercrime and data breaches can have a significant impact on you, both mentally and physically. They can cause or exacerbate anxiety, stress and other psychological conditions.

Loss of privacy

Your data has value, and organisations must be held to account if they fail to protect your right to data privacy or otherwise do not uphold your GDPR rights.
 

How to protect yourself following a data breach or cybercrime

  • Contact your bank or credit card provider immediately if your financial data has been exposed.
  • Check all bills and emails for goods or services you have not ordered.
  • Check your bank account for unfamiliar transactions.
  • Alert your bank or credit card provider immediately if there is any suspicious activity.
  • Monitor your credit score for any unexpected dips.
  • Call Credit, Experian and Equifax to ensure credit isn’t taken out in your name.
  • Never provide your PIN or full password to anyone (even someone claiming to be from your bank).
  • Never been pressured into moving money to another account for fraud reasons. A legitimate bank won’t ask you to do this.
  • Follow the security instructions provided by the organisation that breached your data.
  • Never automatically click on any suspicious links or downloads in emails or texts.
  • Don’t assume an email or phone call is authentic just because someone has your details.
  • Be careful who you trust – criminals often use scare tactics to try and trick you into revealing your security details.
  • Know that, even if you recognise a name or number, it might not be genuine.
  • Don’t be rushed or pressured into making a decision. A trustworthy organisation would never force you to make a financial transaction on the spot.
  • Never provide your full password, pin or security code to someone over the phone (or via message). If a bank believes a transaction has been fraudulent, they will not ask for this information to cancel the transaction.
  • Listen to your instincts and ask questions if something feels “off”.
  • Refuse requests for personal or financial information and stop discussions if you are at all unsure.
  • Contact your bank or financial service provider on a number you know and trust to check if a communication is genuine.
  • Be cautious of unsolicited communications that refer you to a web page asking for personal data.
  • Don’t accept friend requests from people you don’t know on social media.
  • Review your online privacy settings.
  • Report suspected fraud attempts to the police and Action Fraud.
  • Register with the Cifas protective registration service to slow down credit applications made in your name.
  • Change your passwords regularly and use a different password for every account (a password manager can help with this).
  • Protect your devices with up-to-date internet security software.

JOIN OUR NO-WIN, NO-FEE BRITISH AIRWAYS GROUP ACTION