Fresh from launching a £500 million group action against British Airways after a serious security breach, UK law firm SPG Law has wasted no time responding to the announcement last week of a hack at Cathay Pacific which saw the personal data of 9.4 million Cathay Pacific passengers breached.
SPG Law is inviting customers of Cathay Pacific to visit its website at cathaydatabreach.com (they were obviously quick off the draw setting that up…)
What shocked many people about the Cathay Pacific data breach is the months and months it took for the company to announce publicly that it had suffered a data breach.
In its announcement last week of a “data security event”, the airline revealed that it had first detected “suspicious activity” on its network in March 2018 and confirmed that there had been unauthorized access to personal information in early May 2018.
That length of delay is clearly bad news for those passengers who had their names, nationalities, dates of birth, phone numbers, email addresses, addresses, passport numbers, identity card numbers, frequent flier membership numbers, customer service remarks, historical travel information, and (in some cases) credit card numbers accessed by hackers.
But never fear, SPG Law (and no doubt other law firms) are offering to apply some pressure on Cathay Pacific to cough up some compensation.
SPG Law, which is the newly-launched UK division of US law firm Sanders Phillips Grossman, estimates that each affected traveller may be able to claim thousands of dollars against Cathay Pacific, and notes that the airline may be failing to fulfil its requirements under GDPR by not offering any financial compensation for European individuals who suffer direct financial losses or non-material damage.
Group actions against hacked companies are a regular sight in the United States, but are relatively new here in the UK.
My hunch is that while big organisations continue to suffer serious security breaches, we’ll continue to see opportunistic law firms helping the public receive some compensation (and skimming off a tidy sum for themselves, of course).
Businesses may be well-minded to consider that fact when they dawdle for months over disclosing a data breach.