At Keller Lenkner UK, we’re helping victims of the British Airways data breach get justice after the airline breached their data privacy rights and put their personal information at risk.
However, in our work, we sometimes hear people talking about how companies like British Airways should not have to pay for the acts of unscrupulous hackers. But, while it’s true that cybercriminals are becoming increasingly sophisticated, this doesn’t let negligent organisations off the hook. The fact is that in most cases, data breaches happen because of a failure to implement reasonable and robust processes. We believe that this was the case at British Airways.
Brand loyalty is all well and good, but we mustn’t put the needs of big companies above the rights of consumers. So, was the airline responsible for the data breach?
Let’s look at the facts.
British Airways didn’t spot the data breach for two weeks
Between 21st August and 5th September 2018, almost 400,000 British Airways customers had their bank card details stolen in one of the most severe cyber-attacks in UK history. Enough information was exposed to make the threat of further cybercrime a real possibility. Many banks had to cancel and re-issue cards as a result of the breach.
Worryingly, the hack went undetected for two weeks before the airline told its customers about the breach and reported the incident to the police. British Airways has admitted that the hackers spent more than a fortnight accessing data online, and we believe that this is a severe failure.
With 12 days between the data breach occurring and the incident being detected, it is likely that the risk to passengers increased substantially.
The Information Commissioner’s Office has found evidence of poor security practices
In 2019, the Information Commissioner’s Office (ICO) announced plans to fine British Airways a whopping £183.93 million for the 2018 data breach. The strength of this fine was based on evidence uncovered by the ICO. This evidence established that the privacy violation was only possible due to inadequate security arrangements at the airline.
The £183.93 million fine is currently under appeal, and the ICO is expected to finalise the amount in coming months. But suppose the airline had done everything in its power to protect its customers’ data and had robust security processes in place. In this case, it is unlikely that a compensation claim would be successful.
British Airways uncovered a second data breach when investigating the first
To make matters worse, when investigating the initial breach, a second data violation was spotted at the airline. In this instance, 77,000 people had their names, addresses, email addresses and detailed payment information taken. This included card numbers, expiry dates, and card verification value (CVV) numbers. And a further 108,000 people had their personal details stolen. This hack could have left customers exposed for months.
British Airways experienced another data breach in 2019
In 2019, security researchers uncovered unencrypted links within British Airways’ e-ticketing process. The vulnerability may have also exposed sensitive passenger information such as email addresses, names, phone numbers and more. So it doesn’t look like the airline has learned its lesson.
Hackers could already have made millions from the British Airways data hack
Russian hackers may have made millions selling credit card details stolen from British Airways customers. The Daily Mail reported that the customer data stolen from British Airways had been listed on the dark web for sale by Russian-led criminal group Magecart.
The research found that the stolen data was put up for sale on the dark web about a week after the British Airways breach. Hackers were charging between £7 and £40 (approximately) for each card’s worth of information. British Airways says it has not received reports of fraud resulting from the attack on its own systems.
The same hackers might have caused the Ticketmaster breach
Magecart group has been very active over the past three years. It is also thought to be behind the Ticketmaster data hack.
A report by RiskIQ states that clues link the same operation to the British Airways breach. The company said the code found on the British Airways site was very similar. However, the code was modified to suit the way the airline’s website had been designed.
Crucially, if RiskIQ, is right about how the attack worked, a cybersecurity researcher has told the BBC that “BA should have been able to see this”. So the hack could have been very easily prevented.
British Airways has been accused of not taking its responsibilities seriously following the data breach
Following the British Airways data breach, the airline said that compensation claims would be discussed on an ‘individual basis’. However, it is not up to the airline to dictate the terms of any compensation payments. In response, customers took to the media to share their fury at the airline’s handling of the privacy violation.
According to an article in The Metro, one customer said “They talk about compensation to be discussed on a case-by-case basis. To me, this seems incredibly unprofessional.” He added: “They are trying to not take full responsibility for it”. The same customer reported suffering fraudulent activity on his credit card, which he used to book a British Airways flight during the time the data was at risk.
Other customers complained that they had not been contacted by British Airways about the data breach, despite having seen fraudulent activity on their payment cards. Others complained about British Airways advising customers to go to their bank for advice, rather than issuing its own instructions to help travellers stay protected.
One customer told the BBC: “I have six cards linked to my BA account. I have no idea how much of my data information has been stolen. I will have to go to each of my credit card providers, cancel the cards, and all the direct debits, etc., related to those cards. This will take a long time, something I have to do with no help from BA”.
More recently, documents submitted to the High Court in August show that British Airways has denied that affected customers have suffered any serious financial losses. In a statement, British Airways said that the losses sustained by claimants “fails to cross the threshold of seriousness, such that the damage alleged fails to constitute an actionable tort.” Which basically means that the airline does not believe that victims of the data breach are due any compensation.
At Keller Lenkner UK, our expert data breach lawyers believe that British Airways is downplaying the harm suffered by customers following the data breach.
Make a British Airways compensation claim with Keller Lenkner UK
If your data was put at risk in any of the British Airways data breaches, you might be able to make a compensation claim. Keller Lenkner UK has launched a British Airways Data Breach Group Action to help victims achieve justice.