Maximise your Avios, air miles and hotel points

The lawsuit against British Airways for the 2018 data breach is proceeding – should you join?

Links on Head for Points may pay us an affiliate commission. A list of partners is here.

If you were impacted by the British Airways data breach in 2018, things are starting to get interesting.

Between June and 5th September 2018, the data of people making a transaction at ba.com or BA Holidays was compromised and passed to an unknown third party.

British Airways data breach claim

BA originally stated that the following data was shared:

  • email address
  • postal address
  • credit card number
  • expiration data
  • CVV

….. but this was later found to also include log in and travel booking details as well name and address information.

Passport and frequent flyer data was not compromised as that is not transmitted during the payment process.

500,000 people were impacted by the breach.  If you were included, you will have received various emails from British Airways at the time.

The Information Commissioner’s Office (ICO) was not impressed.  In July 2019 it proposed a fine of £183 million.  See the ICO’s statement here.  This was eventually reduced to £20 million, primarily because of the impact of covid on the airline, although it was made very clear that BA had acted illegally in its treatment of passenger data.

The £20m did not go to impacted customers.  It was divided up between the various European data authorities, with the UK share going directly to the Treasury.

But you can now make your own claim ….

In October 2019, Mr Justice Warby gave permission for a passenger-led case to proceed.  For 18 months now, various groups of lawyers have been planning a group litigation order.

As you may have seen from TV advertising over recent weeks, there is now a final push to get impacted flyers to sign up.

Interestingly, not many people have signed up.  Back in late 2019, when the group litigation order was granted, the largest litigation group had signed up just 5,000 people.  Press reports this week suggest that the total number of people now involved is just 16,000.

Given that Head for Points has around 50,000 readers on an average day, if you include our email readers, and is visited from over 350,000 unique devices per month, the law firms haven’t made much impact.  We could probably have got together a group of 16,000 people ourselves.

Many readers have asked us for guidance

We have receive a substantial number of emails in recent days, since the TV advertising began, asking for our opinion.

Back in October 2019 we said that we would do some digging into the various options and report back.

What happened next, of course, was covid and a financial disaster for the airline industry.

As regular readers will know, British Airways has made over 10,000 redundancies in recent months.  The requirement for covid tests for all flyers coming to the UK from tomorrow, plus the current restrictions, are causing it additional problems.  Any large fine against the airline will only weaken its financial position further and lead to more redundancies.

The group litigation is also – let’s be clear – primarily there to line the pockets of the lawyers.  35% of any money you receive will go to them.

There are some spurious numbers being thrown around at the moment about the compensation you may receive.  One oft-quoted number, put around by the lawyers, is a £3 billion total pot.  Given that this is bigger than the fine Boeing paid for the 737 MAX crashes or indeed BP paid for the Deepwater Horizon oil disaster, this is clearly not happening.

At best, it may work out at a couple of hundred pounds per claimant, less 35% for the lawyers.

That said, this will be a landmark case for UK law as it is likely to be the first major case involving a group litigation order.  No-one knows how it will go and the result will impact many future cases.

What do we recommend you do?

Head for Points has misgivings about encouraging readers to join a process.  It will enrich the lawyers at the expense of a struggling airline and its employees, with claimants receiving a relatively nominal sum in their pockets.

For this reason, we will not be recommending any particular legal group to join.

We are not saying that you shouldn’t join the action if you are entitled to – this is clearly up to you – but it isn’t something that we are comfortable promoting given the current state of the airline industry.

I should flag that the Financial Times reported yesterday that:

“BA indicated it was prepared to settle claims in a letter filed with the court last week and seen by the Financial Times.”

In response, however, one of the law firms involved emailed participants to say:

“We can confirm that, to the best of our knowledge, [the FT article] is factually inaccurate.”

Assuming this is correct, it is not clear if a) the lawyers will accept the settlement and b) whether others will be allowed to join the settlement if BA agrees a sum.  It is also not clear if the sum would be fixed – so your payout is reduced if more people join – or per person, uncapped.  However it works out, it does imply that your chances of receiving something are better than zero.

I spoke to a senior legal friend – and HfP reader – and he believes that BA will lose the case.  The only question is whether the court decides that claimants need to prove direct financial loss before they can receive a payment.

Comments (170)

  • Hardy says:

    I was affected by the data breach. Got an email from BA too. The Amx I used for the booking, was used only on BA (never used it on anything else). 2 months later Amex called to say they had stopped two payments from South America as they were flagged. Turned out someone was using the card that was used on the BA booking.
    Question, which legal agency did people sign up with? Yourlawyers or PGMBM or whatever they are called
    I will claim

  • RussellH says:

    A few impolite comments about some lawyers here.
    🙂
    I can assure you that compared with the language used by the lawyers that I know, when they talk about these lawyers, is pretty tame.

  • Adam says:

    Good piece … I’m affected and not joining the action. Amex managed the risks well

  • Alex says:

    Thanks for the article. But, for the record:

    BP paid around $63.4 billion by the end of September 2018 to cover clean-up costs and legal fees linked to the largest environmental disaster in U.S. history

  • Kurt says:

    The T&Cs from the law firm are quite interesting….. probably fine, but nonetheless offputting: General Terms
    If any of the following events occur, you will be in breach of the Agreement with the effect that you will be liable for,
    and we will seek payment of, our hourly rate, VAT and disbursements as set out in this agreement:
    a. You fail to co-operate with us.
    b. You fail to follow our advice.
    c. You fail to attend any appointment or court hearing which we request you to attend.
    d. You fail to give us necessary instructions when we ask for them, or you fail to give us instructions that allow us
    to do our work properly.
    e. You withdraw instructions from us.
    f. You reject our legal advice about making a settlement with your opponent.
    g. You ask us to work in an improper or unreasonable way.
    h. You mislead us or any party involved in your claim (including any expert instructed in the matter).
    i. You are dishonest or exaggerate your claim

  • Tim says:

    The attempt at emotional blackmail (don’t join cos you will force BA to make more staff redundant) is daft. If BA goes under, then other airlines will fill the gaps and will expand by taking on a similar number of staff.

    I look at it this way. If BA thought they could screw some cash out of, let’s say, Boeing by suing them, it would not hesitate for a moment, certainly not out of some misplaced concern for them.

  • GaryC says:

    I have some sympathy for BA here. Doing InfoSec well is *hard*, and BA could have spent their whole operating budget on it, and still been hacked. Witness the recent SolarWinds hack. Yes, BA probably could/should have spent more, but I would assert that applies to the firms everyone joining this class action works for too.

    I think BA could quite justifiably close down exec club accounts – “In light of your recent law suit it’s quite clear that we are unable to serve you in the manner you require and as a result we have made the decision to…”.

    • Dwb1873 says:

      Did you the ICO report? They weren’t doing it even close to well, nor did it seem actually trying.

      Inconsistent and poor controls, poor environment mapping, limited monitoring – then tried multiple legal angles to say the ICO was incompetent.

      I’m not joining this action, but BA IMO were not treated harshly by the ICO.

      • James says:

        The ICO is fairly scathing. Among the information security failures are some that I wouldn’t expect a small family run business to make, let alone a high profile global airline that must be a potential target of terrorist attacks and which one might expect to have a sophisticated CISO and a robust, holistic approach to information security. Aside from the concerns about their disregard for customer information, it gives me pause for thought about their concern for passengers more generally.

  • Justin says:

    There is a thread on BT with similar thoughts, although not quite as heated as this. BA just haven’t learned the lesson on IT their systems are just as bad as they have ever been, so is my data safe with them now?

    Rob you are right that the compensation and the potential costs to BA are probably out of sync with what it has “cost” those affected, but they have not offered anything by way of compensation to the customers affected including myself. What value can I put on not having a credit card for 5 days while AMEX sent a replacement, plus the loss of Avios on my spending… they offered access to my credit file for free, which anyone can get from Experian at any point in time. Not even a derisory cache of Avios, discount on next booking or GOGW.

    Until BA are properly punished then they will not learn their lessons about cutting corners, be that people no longer booking F/J due to lack of hot food, or people claiming for this data breach.

Leave a comment

Your email address will not be published. Required fields are marked *

Please click here to read our data protection policy before submitting your comment