News, Culture & Society

British Airways ‘tries to limit £3billion payout over data breach’

British Airways was today accused of trying to limit a potential £3billion payout over the data breach that saw cyber-hackers steal more than 500,000 customers’ details.

The airline has applied to launch its own class action for victims of the hack – but with the condition that claimants must join within just 17 weeks of its opening.

Legal experts claim this is an ‘unprecedented’ action designed to limit payouts to customers, with a consumer rights law firm branding the move a ‘disgrace’.

But BA vehemently insisted anyone can join the group action – with permission of the courts – or launch an individual claim outside the 17-week period. It added that the proposed limit was suggested by a law firm representing victims rather than BA. 

British Airways has applied to launch its own class action for victims of the data breach

The airline, which was crippled by strike action earlier this week, was told in July hat it faced an intended record fine of £183million from the Information Commissioner’s Office for the cyber attack.

Some 185,000 customers had their details compromised between April and July last year, and a further 380,000 were hit by the breach between August and September. 

Victims could receive as much as £16,000 each in cases where psychological injury is extreme, while average compensation payments for distress could reach £6,000. 

The figures were estimated by legal firm Your Lawyers, which added that financial losses from any fraud resulting from the data hack will also be claimed.

The High Court in London will hold a hearing in the Chancery Division next month on October 4 to decide if BA’s class action can go ahead.

Legal experts claimed previous group litigation orders of a similar scale have only been applied for by claimants, rather than defendants.

One victim of the hack was Michelle Dewberry (pictured), the former winner of BBC reality show The Apprentice, who was on holiday in Vietnam when she found out about the breach

One victim of the hack was Michelle Dewberry (pictured), the former winner of BBC reality show The Apprentice, who was on holiday in Vietnam when she found out about the breach

They added that the court would only allow such a short window for claimants if BA could guarantee that all its affected customers have been notified.

BA passenger whose details were stolen in both data breaches 

John Cruickshank’s details were compromised in both BA data hacks.

The 49-year-old finance worker from Stratford, East London, was on his way to Heathrow Airport on December 30 last year to spend New Year’s Eve in Copenhagen with friends.

But his credit card was declined at a hotel before his morning flight. 

He read about the data breach when it was announced on September 7, 2018. Later that day, BA told him he had been caught up in the second breach and his card was immediately cancelled. 

His personal data, including credit card details, had been compromised after he had booked return flights from London to Edinburgh.

But he never received notice from BA that his card and details were affected in the first breach – when he had bought flights to the Danish capital. 

While Mr Cruickshank has not faced any direct fraud due to the breaches, he still feels frustrated by BA’s response, saying: ‘They haven’t been that apologetic, especially considering I was affected by both breaches.’

Speaking about the proposed 17-week cut-off date for joining the group action, he said: ‘The window is far too short, they’re trying to pass the buck and play a blame game.’ 

But a BA spokesman told MailOnline this afternoon: ‘British Airways has been working continuously with specialist cyber forensic investigators and the National Crime Agency to fully investigate the data theft.

‘It was a law firm representing prospective complainants who suggested the timeframe (of 17 weeks), and this will have to be agreed by the court. It does not prevent customers joining the group claim at a later date.’

Sources at BA also dispute the figure of £3billion – which was achieved by multiplying the average estimated payout of £6,000 by 500,000 customers – and claim the action is not unprecedented. 

It is also understood that applicants could bring a claim within the group – or outside it – throughout the litigation process, which could take years. 

Your Lawyers, a legal firm representing claimants in the breach, said just 6,000 people are estimated to have contacted lawyers to try to claim compensation.

Jonathan Whittle from the company claimed the 17-week period was originally proposed by a legal firm as being a cut-off date from when BA would send notice to all the affected customers to say there is a group litigation order.

Asked if people could proceed with a claim outside the 17-week period, he added: ‘Yes, you can, but that completely defeats the purpose of the group litigation which is to spread the cost across a large number of claimants. 

‘It’s very unlikely that they would be set on getting claims outside of litigation. That wouldn’t make sense. As soon as they’ve settled one outside, people in the group litigation would say we want to settle.’

BA chief executive Alex Cruz (pictured on Monday) said in July that the airline was 'surprised and disappointed' by the £183million fine imposed by the Information Commissioner's Office

BA chief executive Alex Cruz (pictured on Monday) said in July that the airline was ‘surprised and disappointed’ by the £183million fine imposed by the Information Commissioner’s Office

And asked if the action was unprecedented, Mr Whittle said he was not aware of another similar case – and neither was his director nor the group’s barrister.  

Heathrow needs a second UK flag carrier to cut fares, study finds

Nearly one in four passengers who fly from Heathrow have no choice but to travel with British Airways or another airline owned by IAG, according to a report commissioned by rival Virgin Atlantic.

The study by consultancy firm WPI Economics found that 18.5 million passengers travelling through the UK’s busiest airport flew on IAG monopoly routes between June 2018 and May 2019.

It stated that IAG holds 55 per cent of all take-off and landing slots at the west London hub and was the sole operator on 77 routes this summer, with destinations including Belfast, Glasgow, Madrid, Osaka and San Diego.

The next largest groups are Lufthansa with 8 per cent and the Delta/Virgin Atlantic partnership with 7 per cent.

A second UK flag carrier capable of carrying as many as 20 million passengers a year needs to be established at Heathrow to bring down fares, the report claimed. 

Your Lawyers gave examples of class action claimants having far longer claim periods such as the Volkswagen Dieselgate scandal which was almost ten months.

The PIP group litigation over defective breast implants had a 12-month window, while there was six months for Berkeley Burke relating to pension investments.

Aman Johal, director of Chesterfield-based Your Lawyers, said: ‘This is a new low for British Airways, a disgrace. It has let down hundreds of thousands of customers by losing their card payment details. 

‘Now it is failing them again by giving everyone affected just 17 weeks to claim rightful compensation for the distress caused.

‘Never mind ‘To fly, to serve’, BA should change its tagline to ‘To fly, to swerve responsibility’. I encourage everyone affected to act quickly to ensure they don’t miss out.’

BA owner IAG said last month it planned to appeal the £183million fine for the breach, which was the first major move under the GDPR data regulation regime.

The data watchdog said in July that BA’s ‘poor’ security systems enabled hackers to steal passengers’ personal details.

The stolen data included login details, bank card details, and travel booking information – plus names and addresses.

Hackers even managed to get their hands on the three-digit security code on the back of customers’ bank cards.

Information Commissioner Elizabeth Denham said other firms could expect similar treatment if they failed to protect the personal data of their customers.

The ICO said customers who logged on to the BA website to make a booking were diverted to a fraudulent site, with their details then ‘harvested’ by attackers.

The cyber attack – known in the industry as ‘pharming’ – remained undetected by BA for several months.

The ICO said BA’s systems were infiltrated the system last June, with the airline not informing the public until September 6 – a day after it finally blocked the hackers. After learning of the breach, thousands of customers rushed to cancel their cards.

BA’s 'poor' security systems enabled hackers to steal passengers' personal details

BA’s ‘poor’ security systems enabled hackers to steal passengers’ personal details

Many complained of being stranded abroad without access to funds, while some claimed money had been taken from their account.

One victim was Michelle Dewberry, the former winner of BBC reality show The Apprentice, who was on holiday in Vietnam when she found out about the breach.

BA chief executive Alex Cruz said in July that the airline was ‘surprised and disappointed’ by the fine. The money from ICO fines goes to the Treasury.

BA passengers suffered huge disruption this week thanks to a 48-hour strike by members of the British Airline Pilots’ Association (Balpa) in a dispute over pay.

The walkout by pilots caused the cancellation of more than 1,700 flights over Monday and Tuesday, affecting 195,000 passengers.

On Wednesday, BA cancelled at least 71 Heathrow flights and 18 Gatwick flights as almost half of its fleet and more than 700 pilots started the day out of position.

A further 24-hour walkout is planned by Balpa for September 27 if the row in protest at the offer of an 11.5 per cent pay rise remains unresolved.  

Climate change activist group Heathrow Pause is plotting to shut down the airport tomorrow by flying drones within its no-fly zone. 


Find local lawyers and law firms at