The law firm calculates that each affected user could claim compensation up to £1250
A few hours after British Airways admitted to having suffered a serious security breach, which involved hackers accessing customer data and full details of 380k payment cards, a British law firm announced that it would launch a collective legal action for £500M against the airline, as reported by ethical hacking experts from the International Institute of Cyber Security.
SPG Law, the newly-launched British law firm (a US’s Sanders Phillips Grossman branch), said British Airways is not offering an appropriate level of financial compensation to affected users. The law firm estimates that each affected person can claim up to £1250 in compensation. In its security notice, British Airways claimed that affected customers would receive reimbursement for any fraudulent activity in their accounts as a direct result of data theft.
This case has several similarities with the attack suffered by the telecommunications company TalkTalk in 2015, the then executive director of the company said they had suffered a “highly sophisticated” cyberattack, when, in fact, specialists in ethical hacking were able to verify that the attack was a rudimentary SQL injection technique.
As if that were not enough, TalkTalk’s clients were told that they could only cancel their contracts if they could prove that they had been defrauded as a direct result of the theft of their personal information guarded by the company, without assuming responsibility for any secondary action that hackers could have performed.
This has led experts in the field to ask: Will British Airways compensate its users if a hacker uses stolen information to get more personal data? (via phone call or email, for example). Searching the FAQ section of the British Airways website, it only mentions facts directly related to data theft:
“Any customer who has made a reservation between 22:58 August 21 and 21:45 September 5, 2018 will be reimbursed for any fraudulent activity in their accounts as a direct result of data theft”.
SPG Law found the opportunity to attract the attention of some media with this case, with Tom Goodhead, partner of the legal firm, announcing the collective action:
“This is unfortunately the latest in a series of catastrophic failures in the airline’s IT systems. However, unlike previous events, this data theft has caused serious inconvenience to almost 400k people. British Airways is responsible for compensating on non-material damage under the Data Protection Regulation of 2018 and SPG Law will take care of legal action against the company”.
Phillips Sanders Grossman claims to have won over a billion dollars in lawsuits against large corporations, including VW, Pfizer and Johnson & Johnson.
According to specialists in ethical hacking, collective demands for data theft are nothing new in the United States, although this is an unprecedented fact in British territory.