Class action in British Airways data breach

Dominic ConlonPartner and Head of Corporate, Leman Solicitors

In October 2020, the UK’s Information Commissioner’s Office (ICO) fined British Airways (BA) £20 million for violations of the General Data Protection Regulation (GDPR). This was in relation to a breach that took place in 2018. The breach affected both personal and credit card data of 420,000 data subjects.

This is the largest fine that the ICO ever imposed, although significantly lower than the fine the ICO originally said it would impose in 2019 – £183 million. The ICO said that “the economic impact of Covid-19” had been taken into account.

It is now reported that BA faces the largest group claim ever made in the UK. The proceedings were filed in 2018, with a March 2021 deadline for more data subjects to join. Over 16,000 data subjects have joined the case against BA so far.

The claim seeks damages for financial loss and distress and inconvenience arising from having to change credit cards and change passwords. It also claims that some data subjects have been targeted by other threat actors as a result of the breach and may have seen their credit rating impacted.

The difficulty for BA is that the ICO’s investigation into the cyber-attack found that “the airline was processing a significant amount of personal data without adequate security measures in place,” exposing people’s data unnecessarily.

Article 82(1) of GDPR provides that:

Any person who has suffered material or non-material damage as a result of an infringement of this Regulation shall have the right to receive compensation from the controller or processor for the damage suffered.

Therefore, a data subject can claim for non-material damage. This means that damages can be awarded for the distress and inconvenience of the data breach to the data subject without having to demonstrate any actual loss. It is estimated that the data subject could be awarded anything between £2,000 – £10,000 depending on their particular circumstances.

It is expected that many more of the 420,000 data subjects affected will join prior to the March deadline and it is being reported that the total claim against BA could be greater than £800 million.

This is a reminder of the potentially catastrophic consequences of security and data breaches. We have seen a significant rise in cyber-attacks this year. It is important that businesses review their systems and procedures, consider obtaining cyber insurance if they do not have any and deal proactively with any cyber-attacks and data breaches if and when they occur.

The Cyber team at Leman Solicitors provide advice with respect to cyber and data protection matters including pre-event management, incident response and post event matters. If you have any queries, please get in touch with Stephen O’Connor at 01 6393000.