BA reaches settlement in data breach group action

A group action against BA following its 2018 data breach has been successfully settled

A group action lawsuit against British Airways (BA) following its September 2018 data breach has been settled on confidential terms following mediation between the claimants legal representatives and the airline.

The group action was led by a team from law firm PGMBM, led by legal director Tony Winterburn and associate Michael Burke, and is the largest group litigation order relating to personal data in UK legal history. The action, under the European Union General Data Protection Regulation (GDPR), sought compensation for non-material damage – inconvenience, distress, annoyance and loss of control of personal data.

The successful resolution includes provision for compensation for qualifying claimants who joined the litigation, and does not include any admission of liability by BA.

“We are very pleased to have come to a resolution on this matter after constructive mediation with British Airways. This represents an extremely positive and timely solution for those affected by the data incident,” said Harris Pogust, PGMBM chairman.

“The Information Commissioner’s Office laid out how BA did not take adequate measures to keep its passengers’ personal and financial information secure. However, this did not provide redress to those affected. This settlement now addresses that.”

First revealed on 7 September 2018, the breach saw the personal and financial details of customers who made bookings and changes on BA’s website and mobile app between 21 August and 5 September compromised.

At the time, BA was praised for its swift and appropriate response to the incident in alignment with the then box fresh General Data Protection Regulation (GDPR), although the subsequent investigation by the Information Commissioner’s Office (ICO) resulted in the ultimate imposition of a £20m fine, argued down from £183m.

The ICO probe found BA was processing significant amounts of personal data without adequate security measures in place when it fell victim to an attack that it failed to realise the significance of for some time.

It said BA should have identified weaknesses in its cyber posture and fixed them with appropriate measures to prevent the attack from being successful.

A BA spokesperson said: “We apologised to customers who may have been affected by this issue and are pleased we’ve been able to settle the group action. When the issue arose, we acted promptly to protect and inform our customers.”

In addition to its work on the BA case, PGMBM is also representing a growing number of claimants in an action against EasyJet, which experienced a similar breach in 2020. This incident saw the data of nine million passengers compromised.

Pogust said the pace at which the BA action was resolved was “particularly encouraging” and showed the legal system was taking large-scale data breaches seriously.

“This is a very positive sign as we look ahead to what will be an even bigger case against EasyJet relating to their 2020 data breach, as well as other similar international actions,” he said.

Read more about GDPR

Read more on Data breach incident management and recovery

Data Center
Data Management