Maximise your Avios, air miles and hotel points

The lawsuit against British Airways for the 2018 data breach is proceeding – should you join?

Links on Head for Points may pay us an affiliate commission. A list of partners is here.

If you were impacted by the British Airways data breach in 2018, things are starting to get interesting.

Between June and 5th September 2018, the data of people making a transaction at ba.com or BA Holidays was compromised and passed to an unknown third party.

British Airways data breach claim

BA originally stated that the following data was shared:

  • email address
  • postal address
  • credit card number
  • expiration data
  • CVV

….. but this was later found to also include log in and travel booking details as well name and address information.

Passport and frequent flyer data was not compromised as that is not transmitted during the payment process.

500,000 people were impacted by the breach.  If you were included, you will have received various emails from British Airways at the time.

The Information Commissioner’s Office (ICO) was not impressed.  In July 2019 it proposed a fine of £183 million.  See the ICO’s statement here.  This was eventually reduced to £20 million, primarily because of the impact of covid on the airline, although it was made very clear that BA had acted illegally in its treatment of passenger data.

The £20m did not go to impacted customers.  It was divided up between the various European data authorities, with the UK share going directly to the Treasury.

But you can now make your own claim ….

In October 2019, Mr Justice Warby gave permission for a passenger-led case to proceed.  For 18 months now, various groups of lawyers have been planning a group litigation order.

As you may have seen from TV advertising over recent weeks, there is now a final push to get impacted flyers to sign up.

Interestingly, not many people have signed up.  Back in late 2019, when the group litigation order was granted, the largest litigation group had signed up just 5,000 people.  Press reports this week suggest that the total number of people now involved is just 16,000.

Given that Head for Points has around 50,000 readers on an average day, if you include our email readers, and is visited from over 350,000 unique devices per month, the law firms haven’t made much impact.  We could probably have got together a group of 16,000 people ourselves.

Many readers have asked us for guidance

We have receive a substantial number of emails in recent days, since the TV advertising began, asking for our opinion.

Back in October 2019 we said that we would do some digging into the various options and report back.

What happened next, of course, was covid and a financial disaster for the airline industry.

As regular readers will know, British Airways has made over 10,000 redundancies in recent months.  The requirement for covid tests for all flyers coming to the UK from tomorrow, plus the current restrictions, are causing it additional problems.  Any large fine against the airline will only weaken its financial position further and lead to more redundancies.

The group litigation is also – let’s be clear – primarily there to line the pockets of the lawyers.  35% of any money you receive will go to them.

There are some spurious numbers being thrown around at the moment about the compensation you may receive.  One oft-quoted number, put around by the lawyers, is a £3 billion total pot.  Given that this is bigger than the fine Boeing paid for the 737 MAX crashes or indeed BP paid for the Deepwater Horizon oil disaster, this is clearly not happening.

At best, it may work out at a couple of hundred pounds per claimant, less 35% for the lawyers.

That said, this will be a landmark case for UK law as it is likely to be the first major case involving a group litigation order.  No-one knows how it will go and the result will impact many future cases.

What do we recommend you do?

Head for Points has misgivings about encouraging readers to join a process.  It will enrich the lawyers at the expense of a struggling airline and its employees, with claimants receiving a relatively nominal sum in their pockets.

For this reason, we will not be recommending any particular legal group to join.

We are not saying that you shouldn’t join the action if you are entitled to – this is clearly up to you – but it isn’t something that we are comfortable promoting given the current state of the airline industry.

I should flag that the Financial Times reported yesterday that:

“BA indicated it was prepared to settle claims in a letter filed with the court last week and seen by the Financial Times.”

In response, however, one of the law firms involved emailed participants to say:

“We can confirm that, to the best of our knowledge, [the FT article] is factually inaccurate.”

Assuming this is correct, it is not clear if a) the lawyers will accept the settlement and b) whether others will be allowed to join the settlement if BA agrees a sum.  It is also not clear if the sum would be fixed – so your payout is reduced if more people join – or per person, uncapped.  However it works out, it does imply that your chances of receiving something are better than zero.

I spoke to a senior legal friend – and HfP reader – and he believes that BA will lose the case.  The only question is whether the court decides that claimants need to prove direct financial loss before they can receive a payment.

Comments (170)

  • Farid hagmil says:

    Should it not be the survival of the fittest? The void the weakest airlines will leave will allow either better suited new entrants or expansion of current stronger companies to thrive. Frankly hard to have any sympathy to BA after their years of mis-judgements and arrogance…

    • Keith says:

      Exactly. I have 0% sympathy for BA. Much hassle was caused to me as a consequence of forty or so revenue and redemption bookings. BA lied. I received zero for my hassle. I stopped using BA after that – 15 years as gold. If BA go bust I will cheer. The fine was appalling. It should have been much higher. Only when you hit BA where it hurts will they change. And quite frankly, if they go under, so be it. Another airline will take their place. Maybe one that doesn’t say “show us the f**** money” at their shareholder meetings.

    • Erico1875 says:

      No.
      The fittest in this covid enviroment will likely be those that have had the most state aid. ie Lufthansa, who have had over 9 Billion from the German government, not those who are best run

      • Farid hagmil says:

        Well, then no issues for the airline to pay for data breaches! It might make the government think twice to subsidize companies that have no respect to clients, employees and communities alike…

      • marcw says:

        How much has the IAG group already received?

    • BuildBackBetter says:

      Huge barriers of entry in airline industry. It’s not competitive enough for ‘fittest of survival’. Billions needed for planes, need to get past approvals with right ownership structure, landing slots are a completely different ball game that favour incumbents etc.
      Tbh, the landing slots allocation has to be revised to give other airlines a chance. BA has a monopoly on this.

  • BS says:

    I am of the view that large, punitive settlements through the courts are the one thing that actually drives change for the better. In the NHS for example I am aware of trust policies that are based on cost, rather than best care for the patient. It was not until a serious incident followed by a lawsuit that the trust realised it was cheaper to treat the patients properly in the first place, that to try and save a few quid and do inferior but cheaper treatments.

    I suspect the same will be true with BA and data. Until they are sued for a very large amount of money, they will not take data protection seriously. Until they realise it is cheaper to invest in proper systems/security to start with, or it might bankrupt the company. For this reason I would encourage you to join – even if you give any money gained straight to charity. Even if the money solely went to the lawyers it would be a good thing – the punitive impact on BA is the same.

    • James says:

      +1

    • ken says:

      I’d consider the original fine to be punitive, and arguably sufficient to foster change for both BA and other companies.
      A little disappointing that it was reduced by quite so much.

      For individuals, the bar for punitive (really exemplary)damages is set very high and I doubt this case makes it, so a BA settlement offer beckons.

      I get the ‘moral hazard’ bit of letting companies off – but lets be honest here, no-one is giving their share to charity, people eyes have lit up like a dogs bollocks and they just want a free couple of hundred quid.

      The critiscm of lawyers (and accompanying sponsoring funders) is fair as they now have infinitly more skin in the game than any claimant.

      • AndyGWP says:

        Was going to type similar ken… the initial fine (though reduced), is the mechanism that should (and most probably is) driving BA to change behaviour. That doesn’t come overnight though.

      • Bs says:

        Except it wasn’t a punitive fine was it – £20 million is probably the yearly cost saved by using rubbish IT. £180 million clearly would have done the job but they chickened out. This therefore requires civil claims to increase it to something substantial.
        Companies will do simple maths: the cost of doing things properly versus the cost of leaving things are with a fine and potential future fines. Simple numbers one side versus the other. Let’s push them hard to the right way.

  • 1ATL says:

    I’m of the opinion that BA won’t learn unless it hits them in the pocket. Covid or no Covid, they acted with flagrant disregard with customers personal data and were targeted twice because their IT security was so weak. Give any money awarded to charity if you’re not in it for personal gain but don’t let an opportunity like this pass you by if you were affected. I had made 3 bookings during the data breach – booking references still retrievable in BAEC. I also suffered identify theft about a month later having never experienced it before. I can’t be certain but I’d wager it was a direct result of the BA data breach. Not to mention the faff and ballache of having to sort that out in my own time – why shouldn’t they pay?

    • Farid hagmil says:

      +1

    • ken says:

      is anyone arguing that people who suffer loss shouldn’t be compensated ? I don’t think they are.
      Even when there is no provable direct loss, the balance of probabilites test in your case seems persuasive, and I don’t think anyone is saying otherwise.

    • Alex Sm says:

      Two pence from me here:

      1) BA has already got a whooping 89% discount/rebate/haircut off the original fine, so it’s more than enough to offset the covid element of the impact which the original fine would have made

      2) Rob’s claim that lawyers will primarily benefit from the litigation is not entirely true. Even if their commission is 35%, passengers will receive almost the double of this – 65%. And lawyers help them unlock this money – individually they would have received a slice of nothing. And even if it’s a couple of hundred pounds, it will be helpful when many families struggle to make the ends meet. And if it’s a family, you can get 2x or 3x of this amount which is not unsubstantial!

  • Magic Mike says:

    Hmm, don’t sue BA for their negligent handling of customer data due cheaping out on their IT, vs the regular advice here to sue BA through MCOL for failure to adhere to their legal requirements with regard to EC261.

    I hate ambulance chasing lawyers as much as anyone but this doesn’t seem very consistent.

    If I had suffered direct financial loss due to BA in either of those situations I would be straight to the lawyers.

    • Mouse says:

      But this is exactly the point, most people suffered no direct financial loss due to the data breach.

      • Jimmy T says:

        Exactly Mouse, hardly any customers have suffered a financial loss due to this breach.

        • Henry says:

          Irrespective of individual financial loss ( which is not actually relevant) this is a breach of the Data Protection Act and it is this breach and this breach alone which is what BA is being fined for. Parties are being compensated for being victims of the data breach totally irrespective of whether or not they suffered and actual financial loss. Further claiming in addition for financial loss, direct or indirect, is a secondary claim and should indeed be considered against the incompetence and arrogance of BA (bloody awful).

      • memesweeper says:

        It’s very hard to prove loss in these cases, even if you were a victim. Criminals rarely cough up where they got your data from.

        The fact is the data stolen was almost certainly *sold*. This means it had value, and a large number of customers and/or their banks will have lost significant amounts of money at the hands of the purchasers of the data.

        As an affected individual it’s hard for me to show on the balance of probabilities I had a specific loss. Gather up 10,000 people who’s data was stolen and it’s a racing certainty they collectively suffered large losses. I’m not sure what the courts look at in a class action (10,000 individuals or one aggregate) but BA should expect to loose, and would deserve to IMHO.

        An industry downturn is not a reason for BA to be let off the hook — they caused a loss and should pay for it — and a useful message would be sent to other custodians of data.

        • Mouse says:

          Sure, BA should reimburse real losses, but anyone who has not been the victim of identity theft between 2018 and now (which is the vast majority of people) can be sure that they have not been impacted financially by this, whether their data was sold or otherwise, and therefore have no claim in my view.

          Maybe a few people were so worried as to have paid for an identity protection service, and could claim that small amount as a direct loss.

          Anyone who suffered fraud on the card they used to pay BA during that period (again, probably a very small number in any case) should have been reimbursed by their bank – so it’s on the banks to sue BA for fraud cases.

  • Tom says:

    Good on you for taking this stance. Sadly legal action such as this often seems to be less about compensation for those who have suffered genuine hardship and more about herd mentality looking to making a quick buck. The VW emissions scandal is the same, name me one driver who genuinely cares their grotty diesel has been putting out more fumes than it should have been.

    • Chaz says:

      That echoes my view. If you have genuinely lost out and have good reason to believe that the data loss was the cause of that loss, then go for it. If you suffered no impact despite making a booking over that time, then what are you claiming for?

      Yes dodgy IT system, yes there was a data breach but I cannot reconcile that with lining a lawyers pocket.

      • Farid hagmil says:

        Financial losses are not the only measure to suffering consequences of data breach…if this was only about financial losses, justice would be unfair…

        • Jimmy T says:

          Farid, what are the other consequences and should receive financial compensation for them in this instance?

      • 1ATL says:

        But the point is legal action is your ONLY avenue here. It’s not like the PPI situation where it was relatively easy to pursue via non legal channels. If you out in 20 minutes research and submitted claims to the supplier directly you got resolution fairly swiftly. Agreed there were plenty of ambulance companies bombarding everyone at the time willing to do the leg work for a fee and you’d have been a fool to have done that. If I personally instructed legal proceedings against BA the fees I’d incur would be more than the no win no fee solicitors are proposing (30-35% on a win estimated between £500-£2000)

      • Martin says:

        Agreed Chaz

    • Baji Nahid says:

      +1

    • Jonathan says:

      They might not care about the environmental impact (although that’s not a given-look at the growing popularity of electric vehicles which aren’t really the cheap option) but they will certainly care about the fact that the 2nd hand value of diesel cars has plummeted recently!

    • kitten says:

      I admire VW for what they did. Nothing wrong with it for me. Even if the one VW I’ve had was a heap of junk.

  • Alan says:

    Any thoughts on what may happen to BAEC membership and Avios balances for those that join the suit? I’m sure nothing directly but the Club terms given BA a lot of leeway and you do wonder how it may affect things going forward. Agree the traditionally (in the US at least) the majority of money goes in legal expenses for class actions – look at how tiny the payouts normally are vs the size of the funds set aside.

    • Mouse says:

      I’m not a lawyer, but it feels like punitive action against customers who have won court cases against you are likely to be frowned upon, even if if expulsion is allowed by the broad terms and conditions. And certainly from a reputational point of view it would be a disaster – imagine the write-up in the Daily Mail!

  • Stuart says:

    There was a change of policy to the executive club membership a while ago. Could taking action against BA be against this policy and for the sake of a few hundred pounds your hundreds of thousands of points could be wiped out.

  • Adam says:

    @lucky.

    I specifically asked the question about their share of any potential compensation and received the following.

    In the new terms, you will not be required to pay us 35% of any compensation awarded and you will instead retain 100%. This is also a no win no fee agreement which means if we are unsuccessful – we are covered by insurance. Therefore, you will not be liable to pay our fees.

    If you have any other queries, please do not hesitate to get back in contact.

Leave a comment

Your email address will not be published. Required fields are marked *

Please click here to read our data protection policy before submitting your comment