British Airways faces a £500m lawsuit over its recent mega-breach that exposed payment card details of 380,000 customers.

The airliner last week apologised and offered to compensate customers for any direct financial loss for the attack that took place between 21 August and 5 September via its website and app.

However, an group-action suit* led by SPG Law contends BA has not gone far enough and should be paying travellers for the "compensation for inconvenience, distress and annoyance associated with the data leak".

The action points to compensation rights in the European General Data Protection Regulation, which came into effect in May.

SPG Law, the Brit limb of US firm Sanders Phillips Grossman, set up a dedicated micro-site to get victims to sign up to the case.

The firm, which cynics might dismiss as an ambulance chaser, is recruiting participants on a "no win, no fee" basis. It has suggested its offer is the best and most straightforward way passengers might be able to secure up to £1,500 compensation.

SPG Law said it would cap its fees at a maximum of 35 per cent including VAT.

If the case goes to court, SPG Law acknowledged the possibility that the airline may win and might even be awarded legal costs.

"In the event that it is necessary to litigate, we will arrange insurance on behalf of all Claimants who sign up with us," it said. "This will protect you against having to pay BA's costs in the unlikely event that the claim is lost."

British Airways is yet to respond to a request for comment from The Register. ®

Bootnote

*A group-action lawsuit is the English law equivalent of a class-action lawsuit. SPG Law is also "campaigning" to mount a group-action lawsuit over the VW emissions scandal on behalf of affected drivers. The firm is acting just days after the breach was disclosed and before the dust has settled and the facts are known.