In 2018, British Airways experienced a data privacy violation which put almost 400,000 passengers at risk. This breach happened when hackers exploited poor IT security at the airline to access the British Airways website and mobile app. The cybercriminals stole bank/credit card details, home addresses, email addresses and travel arrangements in one of the most severe cyber-attacks in UK history.
In 2020, the Information Commissioner’s Office (ICO) fined British Airways £20 million for failing to protect customer data. But this money will not be given to victims of the breach. The only way to get British Airways data breach compensation is to make a claim.
At Keller Lenkner UK, we have launched a British Airways data breach group action to help victims claim compensation and achieve justice. But many people still do not know if their personal data was involved in this privacy violation.
Our expert data protection lawyers explain how to find out if British Airways breached your data, as well as answering some of the other frequently asked questions in this case.
How would I know if British Airways breached my data?
To join our claim against British Airways, you need evidence that your data was involved in the data breach. British Airways should have emailed everyone involved in the violation, so if you still have that email, we can use that to start your claim.
However, in some cases, victims of the British Airways breach may not have received an email. For example, it might have gone into your spam folder and then been automatically deleted. If this is the case, you will need to provide alternative evidence (e.g. confirmation that proves that you booked flights online or via the British Airways app between 21 August 2018 – 5 September 2018 using a debit or credit card).
How can I get evidence that British Airways breached my data?
If you have not received confirmation about your involvement, (or of you have lost this evidence), but suspect your information was breached, you can ask British Airways if you were put at risk. This is called making a subject access request (SAR).
In the UK, you can ask any organisation if your data was involved in a breach and a copy of this information should be provided free of charge. This is a legal right, and you can complain to the ICO if British Airways does not provide the information.
What other evidence will you ask for?
As well as evidence that you purchased tickets from British Airways on or between 22.58 on 21 August 2018 and 21.45 on 5 September 2018, we will ask for:
- Evidence of any fraudulent transactions/attempts/alerts/cancelled cards that relate specifically to the card you used to purchase tickets. Although you do not need this to claim.
- Evidence of any emotional distress suffered because of this breach. Although you do not need this to claim.
- Confirmation that, as far as you are aware, your card was not put at risk by another data breach.
Am I at risk if British Airways breached my data?
Unfortunately yes, cybercriminals diverted some passengers to a fake website where hackers harvested further details. These could be used to commit further harm (e.g. in phishing attempts). Furthermore, because of this breach, many customers were forced to change their bank accounts or credit cards while others experienced theft, fraud, and emotional damage.
Who can make a claim for the 2018 data breach?
All 380,000 customers who booked flights online or via the British Airways app between 21 August 2018 – 5 September 2018 (using a debit or credit card) are affected and can make a British Airways data breach compensation claim (as long as they have evidence to prove their involvement).
Also, when investigating this case, a second data breach was uncovered at the airline. In this instance, 77,000 British Airways rewards customers had their names, addresses, email addresses and detailed payment information taken. This included card numbers, expiry dates, and card verification value (CVV) numbers. A further 108,000 people had their personal details stolen. Customers who had their details stolen in the British Airways rewards bookings data breach can also join our data breach compensation claim.
Will victims of the data breach get some of the ICO fine?
In 2020, the ICO fined British Airways £20 million for failing to protect customer data. However, while the ICO has the power to impose hefty fines on organisations in breach of their duties, it does not award compensation, so this money will not be given to victims of the breach. The only way to get data breach compensation is to make a claim.
Who is responsible for the data breach?
According to reports in the media, a cyber-criminal operation known as Magecart is behind the British Airways data breach. The group is also thought to be behind the Ticketmaster data hack.
But, while British Airways was the victim of a cyber-attack, the business or organisation responsible is the one who controlled your personal information if they intentionally, negligently, or recklessly allowed it to be lost, leaked, or hacked. So, in this case, British Airways is responsible.
Is this claim likely to be successful?
We cannot say for sure, but according to various media reports, British Airways has shown willingness to settle these claims and avoid Court.
How much compensation are victims of the BA data breach likely to get?
It is impossible to say precisely how much each person will be awarded – either via settlement or at Court. However, in our experience, and looking at similar cases, compensation of around £2,000 per claimant (on average) seems likely. In total, British Airways could be made to pay over £800 million in compensation if everyone affected by the breach joined the action.
How soon will this case be settled?
According to various media reports, British Airways has shown willingness to settle these claims, and avoid Court. But this does not mean that a pay-out is imminent.
The Court-mandated deadline to join the action ends in June 2021, and it is unlikely that British Airways will make any settlement before then. Nevertheless, if your data was involved in the British Airways data breach, we encourage you to join the British Airways group action ASAP to ensure you do not miss out on your chance of compensation.
Our data protection lawyers are already gathering evidence to give our clients the best possible chance of success, and we are using the findings uncovered by the ICO to make the strongest possible case.
How do I make a data breach claim?
To join our British Airways data breach group action compensation claim you need to register with us. Thousands of British Airways customers across the UK are seeking compensation for their losses and each claimant could get compensation of around £2,000.
The deadline to join the action ends in June 2021 so it is vital to sign up ASAP to ensure you do not miss out.