#privacy: British Airways accused of avoiding responsibility over data breach

Lawyers have accused British Airways (BA) of “swerving responsibility” through their efforts to cap compensation sums issued to victims of the data breach suffered by the carrier.

Last year, a cyber-crime incident at BA led to the exposure of around 600,000 customers’ personal details, after online fraudsters took advantage of weaknesses in the airline’s website.

BA has since initiated a class action for those impacted by the breach, but the plan also holds a 17-week time limit in which claimants need to join to be eligible.

Legal experts have called the time limit “unprecedented”, branding the action as a cynical attempt to hold on to as much as possible of a compensation pot that could be worth up to £3bn.

In 2018, around 185,000 BA travellers are thought to have had their personal data compromised between April and July, while another 380,000 customers were hit by a second breach that took place between August and September.

Information compromised in the intrusions comprised full names, residential addresses, email addresses, payment card data and cvv security codes in many instances.

Victims caught up in the breaches could expect to win back as much as £16,000, if those individuals have suffered extreme psychological injury as a result of their losses, while median compensation sums for distress could hit around £6,000, lawyers say. Financial losses from fraud as a result of the hack will also be available.

The UK’s data privacy regulator, the Information Commissioner’s Office hit BA with a record-breaking £183m fine for the data breach.

Representing the claimants, consumer rights law firm, Your Lawyers, has said that imposing a time limit on the compensation window is a “disgrace”. The firm said that previous group litigation orders had been asked for by claimants, not defendants, and that such a small recruitment window would not be allowed by the court in a large consumer action unless BA could demonstrate that all victims have been notified.

Director Aman Johal said: “This is a new low for British Airways, a disgrace. It has let down hundreds of thousands of customers by losing their card payment details. Now it is failing them again by giving everyone affected just 17 weeks to claim rightful compensation for the distress caused.

“Never mind ‘To fly, to serve’, BA should change its tagline to ‘To fly, to swerve responsibility’. I encourage everyone affected to act quickly to ensure they don’t miss out.”

A BA spokesperson said:

“It was a law firm representing prospective complainants who suggested the timeframe (of 17 weeks), and this will have to be agreed by the court. It does not prevent customers joining the group claim at a later date.”


PrivSec Conferences will bring together leading speakers and experts from privacy and security to deliver compelling content via solo presentations, panel discussions, debates, roundtables and workshops.

For more information on upcoming events, visit the website.

We have been awarded the number 1 GDPR Blog in 2019 by Feedspot.