Data Risk Intelligence
Automated Data Mapping
Do Not Sell/Do Not Share
Cookie Banner Solutions
Consent & Preferences
Data Rights RequestsBritish Airways Faces a Major Class Action Lawsuit Stemming from the 2018 Data Breach
In addition to the record £20 million fine issued by the UK’s Information Commissioner’s Office against British Airways (BA) in connection with the 2018 breach, the airline now faces the larger-ever UK class action litigation.
The ICO investigation determined that the June 2018 data breach resulted from “poor security arrangements.” The incident involved the diversion of BA’s website traffic by malware to a fraudulent website. The attacker is believed to have potentially accessed the personal data of approximately 429,612 customers and staff. This included names, addresses, payment card numbers and CVV numbers of 244,000 BA customers. Other data believed to have been accessed include the combined card and CVV numbers of 77,000 customers and card numbers for 108,000 customers. Usernames and passwords of BA employee and administrator accounts as well as usernames and PINs of up to 612 BA Executive Club accounts were also potentially accessed.
The ICO concluded that BA failed to implement adequate security measures when processing a significant amount of personal data. The ICO investigators found BA should have identified weaknesses in its security and resolved them with security measures that were available at the time. According to the ICO, some of the controls that BA should have implemented include: limiting access to applications, data and tools to only that which are required to fulfil a user’s role; undertaking rigorous testing, in the form of simulating a cyber-attack, on the business’ systems; and protecting employee and third-party accounts with multi-factor authentication.
The ICO also faulted BA for lack of awareness of the attack. The ICO investigators found that BA did not detect the attack as it occurred in June of 2018 but were alerted by a third party more than two months later.
British Airways now faces the largest privacy class-action lawsuit in the U.K. history over the 2018 breach. According to Bloomberg, more than 16,000 plaintiffs have joined the case, originally filed in 2018, with the March 2021 deadline for more victims to join. According to some estimates, potential total compensation could reach as high as £2.4 billion. In a recent letter to the court, BA indicated that it was open to settling the claims.
Even though BA escaped a £184 million fine originally announced by the ICO, it might still end up paying a gargantuan damages award as a result of the 2018 breach. The bottom line is that companies that ignore their privacy and data protection obligations are bound to pay the price in the form of regulatory fines, litigations, and diminished reputation with privacy-conscious consumers.
Improve customer trust with Clarip’s privacy governance platform. Schedule a demo of the Clarip data mapping software for GDPR by calling 1-888-252-5653.
