Within hours of British Airways admitting that it had suffered a serious security breach, with hackers accessing customer data and the full details of 380,000 payment cards, a British law firm announced that it was launching a £500m group action against the airline.
SPG Law, the newly-launched UK division of US law firm Sanders Phillips Grossman, claimed that despite the hack resulting in inconvenience and distress for travellers, and the misuse of private data, British Airways is failing to offer an appropriate level of financial compensation. The law firm estimates that each affected person may be able to claim up to £1,250 in compensation.
In its advisory, British Airways says that customers will be “reimbursed for any fraudulent activity on their accounts as a direct result of the data theft.”
This reminds me rather a lot of what TalkTalk said after the horrendous hack it suffered in 2015. TalkTalk’s then CEO Dido Harding tried to pass the hack off as “highly sophisticated,” but in truth it was a rudimentary SQL injection attack.
As if that wasn’t bad enough, customers of the broadband provider were told they could only quit their contract if they could prove they were defrauded as a direct result of their personal information being stolen from TalkTalk, rather than as a result of a scammer using the stolen TalkTalk data to extract further details while posing as a TalkTalk employee on the phone.
Will British Airways compensate you if a fraudster uses the information hacked from them to steal yet more personal data from you (perhaps through a scam phone call or email)? My reading of British Airways’s FAQ is that they will not:
“No customer will be out of pocket as a direct result of the criminal theft of data from ba.com and the airline’s mobile app. Any customer who made a booking between 22:58 BST August 21 2018 and 21:45 BST September 5 2018 will be reimbursed for any fraudulent activity on their accounts as a direct result of the data theft and we shall advise the process for this in due course.”
Although. to its credit, BA does at least remind customers that it will not proactively request personal data via email or phone call:
“British Airways will never proactively contact you to request your personal or confidential information. If you ever receive an email or call, claiming to be from us, requesting this information, please report it to us straight away.”
SPG Law opportunistically leapt on the chance to grab some headlines, with partner Tom Goodhead announcing the class action suit:
“Unfortunately, this is the latest in a number of catastrophic failures in BA’s IT systems. Unlike previous failures, however, this data breach has caused serious inconvenience and distress to nearly 400,000 people. BA are liable to compensate for non-material damage under the Data Protection Act 2018 and SPG Law will hold them to account.”
Sanders Phillips Grossman claims to have won over US $1 billion for clients against major corporations including VW, Pfizer and Johnson & Johnson.
Class-action lawsuits over data breaches are nothing new in the United States, but I can’t remember anything like this happening before in the UK.
My guess is that we will see more of this in the UK. It’s not just GDPR that you have to worry about.
For more discussion of this issue, be sure to listen to this episode of the “Smashing Security” podcast: