Air travel company British Airways has settled a group action lawsuit brought forth by customers and staff affected by their 2018 data breach.
This breach, first revealed on the 7th September 2018, had caused the personal data of 420,000 staff and customers to be leaked.
This included the financial and personal details contained in bookings and changes on BA’s website and mobile app between the 21st August and the 5th September that year.
British Airways was hailed at the time for its appropriate and quick response which mirrored the new General Data Protection Regulations (GDPR). However, a subsequent investigation by the Information Commissioner’s Office (ICO) came to a far harsher conclusion.
It was found British Airways had been processing huge amounts of personal data without robust security measures in place when it fell victim to the attack. Furthermore, the ICO argued the airline did not appreciate and respond properly to the full seriousness and scope of the attack at the time.
The ICO argued that British Airways should have identified and fixed weaknesses in its cyber security to protect the data of its staff and customers, slapping the company in 2018 with a colossal £20 million fine.
Years later, the financial consequences continue. The successful resolution between British Airways and the claimants hinged on a confidential settlement, not including any admission of liability by the company.
The claimants, those affected in the data breach, were represented by law firm PGMBM, who had this to say on the case:
“The Information Commissioner’s Office laid out how BA did not take adequate measures to keep its passengers’ personal and financial information secure. However, this did not provide redress to those affected. This settlement now addresses that.”
PGMBM in addition to working on the British Airways case is also representing claimants in a lawsuit against EasyJet. A company which in 2020 faced a similar breach that saw the data of nine million passengers compromised.