Card Not Present Fraud , Data Loss Prevention (DLP) , Fraud Management & Cybercrime

British Airways Faces Class-Action Lawsuit Over Data Breach

GDPR Privacy Law Lets Breach Victims Seek 'Non-Material Damage' Compensation
British Airways Faces Class-Action Lawsuit Over Data Breach

British Airways has been threatened with a £500 million ($650 million) class-action lawsuit in U.K. court following its warning last week that a hacker had stolen payment card data associated with 380,000 transactions, one of the worst breaches to ever come to light in the country (see Hacker Flies Away With British Airways Customer Data).

See Also: Check Kiting In The Digital Age

The possibility that a breached business might face a class-action lawsuit in the U.K. is tied to the EU's General Data Protection Regulation, which went into full effect in May. While GDPR requires organizations to notify relevant authorities quickly about any suspected breach - typically, within 72 hours - and to maintain appropriate data security controls, it also gives Europeans new compensation rights.

SPG Law, the U.K. branch of U.S. law giant Sanders Phillips Grossman, on Monday said that it was planning to launch the £500 million group action - the British version of a class-action lawsuit - unless the airline opts to settle.

"Unfortunately, this is the latest in a number of catastrophic failures in BA's IT systems," says attorney Tom Goodhead, a partner at SPG Law, in a statement. "Unlike previous failures, however, this data breach has caused serious inconvenience and distress to nearly 400,000 people. BA is liable to compensate for non-material damage under the Data Protection Act 2018 and SPG Law will hold them to account."

The Data Protection Act is the U.K.'s national data privacy law. The latest version, which went into effect in May, includes but is not limited to all GDPR requirements.

BA Promises to Cover Direct Losses

British Airways declined to comment on the lawsuit. But it has previously said that all victims of the breach, which lasted for 15 days, will face no out-of-pocket losses.

"No British Airways customer will be left out of pocket as a result of this criminal cyber attack on its website,, and the airline's mobile app," the airline tells Information Security Media Group in a statement. "The airline has guaranteed that financial losses suffered by customers directly because of the theft of this data from British Airways will be reimbursed, and is recommending that customers contact their bank or card provider if they made a booking or change to their booking between 22:58 BST August 21 2018 and 21:45 BST September 5 2018."

Lawsuit Seeks Non-Material Damage Compensation

On Thursday, British Airways began warning customers that hackers had stolen payment card details used to purchase or change 380,000 tickets. The airline promised to cover any fraudulent losses experienced by customers that were not covered by their payment card issuers.

But SPG Law says that under GDPR, breach victims have a right to further compensation and that BA should compensate victims for the "inconvenience, distress and misuse of their private information" caused by the breach.

Specifically, GDPR states: "Any person who has suffered material or non-material damage as a result of an infringement of this regulation shall have the right to receive compensation from the controller or processor for the damage suffered."

SPG Law says that it believes that each breach victim may be able to claim up to £1,250 ($1,600), in part because their payment card details were current at the time of the breach.

GDPR, article 82 excerpt (Source:

SPG Law says that if British Airways chooses to not settle, it will apply to the court for a group litigation order, which would allow it to combine multiple victims' claims into a single lawsuit.

Why U.S. Breach Suits Typically Fail

Seeing a data breach lead to a threatened class-action lawsuit in the U.K. is a watershed, made possible thanks to GDPR. But class-action lawsuits are common elsewhere.

Indeed, SPG Law says law firms in the U.S. have successfully won compensation for consumers in a number of large U.S. data breach cases, including against Anthem, Target, Wendy's and Yahoo. They're also in the process of pursuing claims from such firms as Equifax, Excellus BlueCross BlueShield and Premera Blue Cross.

But the vast majority of consumers' data breach lawsuits in the United States have been dismissed after judges ruled that the "plaintiffs bar" - the group of attorneys representing plaintiffs - failed to prove that victims suffered an actual or threatened injury, under what's known as Article III standing.

Organizations that suffered a data breach will typically pay a settlement in cases that appear to be going against them, in part to avoid setting a disadvantageous precedent, legal experts say. If breached organizations settle, attorneys acting on behalf of consumers have received up to 60 percent of the value of the overall settlement (see Why So Many Data Breach Lawsuits Fail).

Apology from BA

"We are deeply sorry for the disruption that this criminal activity has caused. We take the protection of our customers' data very seriously," says Alex Cruz, chairman and CEO of British Airways.

Meanwhile, British Airways has apologized to customers for the breach. "We understand that this incident will cause concern and inconvenience," it says. "We have contacted all affected customers to say sorry, and we will continue to update them in the coming days. British Airways will not be contacting any customers asking for payment card details, any such requests should be reported to the police and relevant authorities."

The airline says its investigation continues. "British Airways continues to investigate with the police and cyber specialists, and has reported the data theft to the Information Commissioner."

The Information Commissioner's Office is the U.K.'s data privacy authority and responsible for enforcing GDPR. The ICO says its inquiries into the breach are continuing.

About the Author

Mathew J. Schwartz

Mathew J. Schwartz

Executive Editor, DataBreachToday & Europe, ISMG

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the executive editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, among other publications. He lives in Scotland.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.