A large law firm in the UK has started proceedings to sue British Airways over the most recent payment data leak/hack which compromised credit card and personal data of 380,000 customers.

Customers affected by this hack are eligible to join the Group Litigation Order (class action lawsuit) which could net up to US$1,630 (GBP 1,250) per claim though the sum will likely to be much smaller if settled.

British Airways and it’s IT structure are famous for fouling up multiple times each year, affecting the daily operations as well as passengers either during their travels or in this case retroactively.

We have covered the British Airways payment data hack in the following articles:

British Airways Website And App Hacked & 380K Customer’s Credit Card And Other Information Stolen

British Airways: UPDATE On Website And App Hack – 380,000 Customer’s Information Stolen

British law firm SPG Law has now undertaken steps to sue British Airways under the Data Protection Act 2018 (GDPR) over their role in this hack and the compromised data.

You can access the respective website for the Group Litigation Order (which is the British term for Class Action Lawsuit) here.

The law firm describes the case as follows:

BA announced on the 7th September, 2018 that there had been a breach of its security systems leading to more than 380,000 customers like you having their personal data leaked. This sensitive personal data included full names, debit/credit card numbers (including expiry dates and CVV’s), addresses and email addresses. The breach has led to all customers being required to monitor financial transactions on their debit/credit cards and potentially cancel/request reissuance of their payment cards. BA’s response has been to only offer to reimburse customers who suffer “direct financial losses” and to offer “credit rate monitoring.” This is not good enough. Under Article 82 of the EU General Data Protection Regulation (EU-GDPR) you have a right to compensation for non-material damage. This means compensation for inconvenience, distress and annoyance associated with the data leak. This is not the first time that BA’s IT systems have failed. BA have treated their customers poorly over the past few years and it is time to stand up to them and take action.

I agree especially with the last part of this statement. British Airways has continuously displayed an attitude of negligence and disregard as far as the customer experience is concerned. This wasn’t a one off as there were multiple failures of BA’s IT infrastructure including the infamous meltdown of May 2017 where the company publicly refused to reimburse passengers for replacement tickets purchased.

It turned out that the aforementioned shutdown of the systems were the actions of a technician who switched off and then reconnected the power supply to BA’s data centre. IAG Chairman Willie Walsh later admitted that communications were extremely poor after the incident.

Now this!

The airline updated customers after the incident that they would reimburse them for any financial damages arising from this situation and they would also provide a credit monitoring service. I do agree with SPG Law that this isn’t good enough. Customers are generally not liable for any credit card fraud as this sort of thing is covered in the protection blanket of credit cards.

This entire matter caused affected customers a huge headache. They had to exchange all the credit cards used and change that data with various vendors, especially those that involved auto payment. In some instances it affected people who were about to go on holiday and didn’t have any other cards. BA is essentially not offering them anything as compensation and the credit monitoring service is said to be provided free of charge not by British Airways but Experian in the hopes that people will keep the service after one year when fees start to apply.

Just for the sake of it I’d already suggest customers to either join in this GLO or take matters into their own hands and sue BA on their own.

Here are some bullet points provided by the law firm in the FAQ’s about this case:

Q: How much Compensation will I receive? A: We believe that we will be able to claim up to £1,500 on your behalf. This will be dependent upon your personal circumstances. Q: What will it cost me to bring this claim against BA? A: Nothing upfront. In signing up, you will be asked to enter into a “no win, no fee” agreement with us. Under the terms of this agreement, you will only be liable to pay our fees and expenses, as well as those of barristers, funders and insurers, if the case is successful. The exact amount you will pay will depend upon how long the case takes, how much time the lawyers need to spend on it, and the level of compensation obtain. Unlike some other firms we cap our fees at a maximum of 35% including VAT. Q: When can I expect to receive my compensation? A: All of the lawyers in the proposed group action are committed to obtaining compensation on your behalf as quickly as possible. As BA is one of the largest companies in the UK, however, it may be necessary to take them to court. If a quick settlement is achieved, you may receive your compensation in the next six months but if BA chooses to fight, it could take two years or so. Q: Will I have to pay BA costs if the claim is lost? A: In the event that it is necessary to litigate, we will arrange insurance on behalf of all Claimants who sign up with us. This will protect you against having to pay BA’s costs in the unlikely event that the claim is lost.

While the claim for ‘non material damages’ might indeed be for up to £1,500 the settlement (assuming one will be reached) is going to be much lower than this as it’s mostly the case in class action lawsuits and settlements. In fact many class actions are being settled for pennies on the dollar with only the lead plaintiff getting a decent sum in the end. The law firm stands to win the most – in this case 35% of the total sum awarded/settled – for their services which is a worthwhile sum for them considering the volume of the claim if enough people sign up.

Conclusion

Unless you’re planning to go after BA on your own (in case you’re affected by this breach) I’d still recommend to take part in this class action to ensure the company has at least some fine to pay no matter who the money goes to. I personally wouldn’t expect any more than $100 from such a claim as final settlement.

It’s pretty obvious and not just in this case that British Airways acts extremely arrogant in these matters with a total disregard for the customers damages which might be non-material but in case case a huge waste of time for those involved. And why should you spend your time without compensation just because of British Airways negligence?