[BreachExchange] Law firm launches £500 million group action over British Airways hack

Mon Sep 10 21:24:41 EDT 2018

Within hours of British Airways admitting that it had suffered a
serious security breach, with hackers accessing customer data and the
full details of 380,000 payment cards, a British law firm announced
that it was launching a £500m group action against the airline.

SPG Law, the newly-launched UK division of US law firm Sanders
Phillips Grossman, claimed that despite the hack resulting in
inconvenience and distress for travellers, and the misuse of private
data, British Airways is failing to offer an appropriate level of
financial compensation. The law firm estimates that each affected
person may be able to claim up to £1,250 in compensation.

In its advisory, British Airways says that customers will be
“reimbursed for any fraudulent activity on their accounts as a direct
result of the data theft.”

This reminds me rather a lot of what TalkTalk said after the
horrendous hack it suffered in 2015. TalkTalk’s then CEO Dido Harding
tried to pass the hack off as “highly sophisticated,” but in truth it
was a rudimentary SQL injection attack.

As if that wasn’t bad enough, customers of the broadband provider were
told they could only quit their contract if they could prove they were
defrauded as a direct result of their personal information being
stolen from TalkTalk, rather than as a result of a scammer using the
stolen TalkTalk data to extract further details while posing as a
TalkTalk employee on the phone.

Will British Airways compensate you if a fraudster uses the
information hacked from them to steal yet more personal data from you
(perhaps through a scam phone call or email)? My reading of British
Airways’s FAQ is that they will not:

“No customer will be out of pocket as a direct result of the criminal
theft of data from ba.com and the airline’s mobile app. Any customer
who made a booking between 22:58 BST August 21 2018 and 21:45 BST
September 5 2018 will be reimbursed for any fraudulent activity on
their accounts as a direct result of the data theft and we shall
advise the process for this in due course.”

Although. to its credit, BA does at least remind customers that it
will not proactively request personal data via email or phone call:

“British Airways will never proactively contact you to request your
personal or confidential information. If you ever receive an email or
call, claiming to be from us, requesting this information, please
report it to us straight away.”

SPG Law opportunistically leapt on the chance to grab some headlines,
with partner Tom Goodhead announcing the class action suit:

“Unfortunately, this is the latest in a number of catastrophic
failures in BA’s IT systems. Unlike previous failures, however, this
data breach has caused serious inconvenience and distress to nearly
400,000 people. BA are liable to compensate for non-material damage
under the Data Protection Act 2018 and SPG Law will hold them to
account.”

Sanders Phillips Grossman claims to have won over US $1 billion for
clients against major corporations including VW, Pfizer and Johnson &
Johnson.

Class-action lawsuits over data breaches are nothing new in the United
States, but I can’t remember anything like this happening before in
the UK.

My guess is that we will see more of this in the UK. It’s not just
GDPR that you have to worry about.