Law firm launches £500 million group action over British Airways hack

Law firm estimates that each affected person may be able to claim up to £1,250 in compensation.

Graham Cluley
Graham Cluley
@[email protected]

Law firm launches £500 million group action over British Airways hack

Within hours of British Airways admitting that it had suffered a serious security breach, with hackers accessing customer data and the full details of 380,000 payment cards, a British law firm announced that it was launching a £500m group action against the airline.

SPG Law, the newly-launched UK division of US law firm Sanders Phillips Grossman, claimed that despite the hack resulting in inconvenience and distress for travellers, and the misuse of private data, British Airways is failing to offer an appropriate level of financial compensation. The law firm estimates that each affected person may be able to claim up to £1,250 in compensation.

In its advisory, British Airways says that customers will be “reimbursed for any fraudulent activity on their accounts as a direct result of the data theft.”

Sign up to our free newsletter.
Security news, advice, and tips.

This reminds me rather a lot of what TalkTalk said after the horrendous hack it suffered in 2015. TalkTalk’s then CEO Dido Harding tried to pass the hack off as “highly sophisticated,” but in truth it was a rudimentary SQL injection attack.

As if that wasn’t bad enough, customers of the broadband provider were told they could only quit their contract if they could prove they were defrauded as a direct result of their personal information being stolen from TalkTalk, rather than as a result of a scammer using the stolen TalkTalk data to extract further details while posing as a TalkTalk employee on the phone.

Will British Airways compensate you if a fraudster uses the information hacked from them to steal yet more personal data from you (perhaps through a scam phone call or email)? My reading of British Airways’s FAQ is that they will not:

“No customer will be out of pocket as a direct result of the criminal theft of data from and the airline’s mobile app. Any customer who made a booking between 22:58 BST August 21 2018 and 21:45 BST September 5 2018 will be reimbursed for any fraudulent activity on their accounts as a direct result of the data theft and we shall advise the process for this in due course.”

Although. to its credit, BA does at least remind customers that it will not proactively request personal data via email or phone call:

“British Airways will never proactively contact you to request your personal or confidential information. If you ever receive an email or call, claiming to be from us, requesting this information, please report it to us straight away.”

SPG Law opportunistically leapt on the chance to grab some headlines, with partner Tom Goodhead announcing the class action suit:

“Unfortunately, this is the latest in a number of catastrophic failures in BA’s IT systems. Unlike previous failures, however, this data breach has caused serious inconvenience and distress to nearly 400,000 people. BA are liable to compensate for non-material damage under the Data Protection Act 2018 and SPG Law will hold them to account.”

Sanders Phillips Grossman claims to have won over US $1 billion for clients against major corporations including VW, Pfizer and Johnson & Johnson.

Class-action lawsuits over data breaches are nothing new in the United States, but I can’t remember anything like this happening before in the UK.

My guess is that we will see more of this in the UK. It’s not just GDPR that you have to worry about.

For more discussion of this issue, be sure to listen to this episode of the “Smashing Security” podcast:

Smashing Security #095: 'British Airways hack, Mac apps steal browser history, and one person has 285,000 texts leaked'

Listen on Apple Podcasts | Spotify | Pocket Casts | Other... | RSS
More episodes...

Found this article interesting? Follow Graham Cluley on Twitter, Mastodon, or Threads to read more of the exclusive content we post.

Graham Cluley is a veteran of the cybersecurity industry, having worked for a number of security companies since the early 1990s when he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows. Now an independent analyst, he regularly makes media appearances and is an international public speaker on the topic of cybersecurity, hackers, and online privacy. Follow him on Twitter, Mastodon, Threads, Bluesky, or drop him an email.

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.