In October 2020, the Information Commissioner’s Office (ICO) issued British Airways with a record £20 million penalty for its part in one of the most severe cyber-attacks in UK history. The fine was issued because, while cybercriminals hacked British Airways, had the airline identified weaknesses in its security and resolved them, the breach might never have happened.
As a result of the data hack, almost 400,000 British Airways customers and staff had their personal details and bank cards stolen. This included names, addresses, payment card numbers and CVV numbers. Enough details were exposed to make the threat of cybercrime a real possibility. Many of our clients have reported financial losses and emotional distress linked to the breach, and the banks had to cancel and re-issue cards as a result of the hack.
However, despite the huge fine (the biggest the ICO has issued to date), it could be argued that British Airways got off lightly. In 2019, the ICO announced its intention to fine the airline a staggering £183 million. This penalty was reduced following an appeal by British Airways, during which time the ICO took the financial impact of COVID-19 on the airline into account.
Keller Lenkner UK has launched a group action against British Airways to help victims of this data breach to claim compensation. We can help you claim compensation for financial losses, as well as for inconvenience and distress.
The registration period for people to join our British Airways action has recently been extended. However, time is now of the essence, and if you want to hold the airline to account for breaching your data protection rights, you must register with us ASAP.
Should you hold British Airways responsible for its data breach?
In our line of work, we sometimes hear people talking about how companies like British Airways should not have to pay for the acts of unscrupulous hackers. Or that it is bad form to try and harm an organisation financially. But the fact is that most data breaches happen because of a failure to implement reasonable and robust processes. Brand loyalty is all well and good, but we mustn’t put the needs of big companies above the rights of consumers.
In this case:
- The hack went undetected for two weeks before the airline told its customers about the breach and reported the incident to the police. With 12 days between the data breach occurring and the incident being detected, it is likely that the risk to passengers increased substantially.
- The ICO identified numerous measures the airline should have used to mitigate or prevent the risk of an attacker being able to access its network. These included:
- limiting access to applications, data and tools to only that which are required to fulfil a user’s role
- undertaking rigorous testing, in the form of simulating a cyber-attack, on the business’ systems
- protecting employee and third-party accounts with multi-factor authentication.
- When investigating the initial breach, a second data violation was spotted at the airline. And, in 2019, security researchers uncovered another vulnerability which may have exposed sensitive passenger information. So it doesn’t look like the airline has learned its lesson.
- Hackers may have made millions selling credit card details stolen from British Airways customers. The Daily Mail reported that the customer data stolen from British Airways had been listed on the dark web for sale by criminal group Magecart.
- Documents submitted to the High Court in August show that British Airways has denied that affected customers have suffered any serious financial losses. In a statement, British Airways said that the losses sustained by claimants “fails to cross the threshold of seriousness, such that the damage alleged fails to constitute an actionable tort.” Which basically means that the airline does not believe that victims of the data breach are due any compensation.
At Keller Lenkner UK, our expert data breach lawyers believe that British Airways is downplaying the harm suffered by customers and employees following the data breach.
What does the ICO fine mean for this case?
The ICO fine means that British Airways will be held responsible for its failure to protect customer data. But, while the ICO has the power to impose data breach fines, it does not give this money to victims of the data breach – regardless of how they have suffered.
However, we can use the evidence uncovered by the ICO to make a very strong case. So, if your data was put at risk by British Airways, you should make a data breach compensation claim ASAP.
To join our British Airways data breach group action compensation claim, register with us today.