Some items on our site have recently moved. Visit our News Hub for selected articles, special reports, podcasts and other resources.
BA says data-breach victims suffered no serious financial loss, deserve no compensation
13 August 2020 16:08 by Matthew Newman
British Airways has denied that customers subject to a data breach in 2018 suffered any serious financial loss or are due any compensation, in arguments submitted in group action litigation at a London court.
BA said it's contrary to “public policy principles” under EU data protection rules for it to be required to pay individuals compensation, because it “lawfully and responsibly” sent them a “precautionary notification” about the breach. The UK carrier's arguments were made in a defense filed at the High Court in London on Aug. 4 and made public today.
The airline, which is owned by International Airlines Group, said that any loss suffered by any of the claimants "fails to cross the threshold of seriousness, such that the damage alleged fails to constitute an actionable tort."
The group action stems from an incident two years ago, when BA said the names and addresses of around 500,000 customers — as well as their login, payment card and travel-booking details — were compromised in a data breach. The airline later revised that number lower.
In July 2019, the UK’s Information Commissioner's Office said it planned to fine the airline 183 million pounds (around $240 million) for violating the EU's General Data Protection Regulation by having "poor security arrangements."
Last month, IAG said it now estimates that it may need to pay 22 million euros ($26 million) as a result of the watchdog's probe. The ICO is expected to finalize the amount in coming months.
UK-based PGMBM is the lead litigant on behalf of 7,000 claimants that have signed up with it and several other law firms. Your Lawyers is helping with the litigation. SPG Law's website indicates that each claimant could expect up to 2,000 pounds in compensation, on average.
As in any group action case, claimants seek to rely on the regulator's findings in establishing a defendant's in-principle liability. Efforts to bring a mass litigation suit against BA began shortly after the airline's disclosure in September 2018 of the data breach, which affected the company’s online reservations systems.
In its defense, BA said it notified customers about the data breach and that it took an "entirely proper, precautionary approach."
"With respect to any affected data, it is denied that the same was not kept secure and/or was not collected in a secure way and/or was obtained by unauthorized persons in breach of any duty to which the defendant is alleged” in the group action. it said.
BA has denied liability for the breach, and it opposes the ICO's findings and proposed fine. At a court hearing in October 2019, a lawyer for the airline said the core issue in the litigation was whether BA fell short in its approach to data security.
The ICO said that poor security practices led to the exposure of customers' data. The incident partly entailed user traffic to the BA website being diverted to a fraudulent site, where hackers harvested the information.
In the recent court document, BA said it hasn’t admitted that the attack could result in any fraudulent transactions on customers’ accounts. A section in the defense describing the attack was blacked out for confidentiality reasons.
BA said that it had offered customers free credit- and identity-monitoring services for 12 months as a gesture of goodwill, meant to give clients "an additional measure of comfort." It denied that the data breach placed any affected customer at risk of identity theft.
It added that the claimants have the burden of proof that a breach of its duties under the GDPR was "causally relevant" to the success of the hacking attack.
"The burden of proving breach and causation falls upon the claimants," the company said. "The claimants cannot establish breach or causation of harm."
"The defendant took all such steps as were legally required to protect the confidentiality and security of personal data provided by users of the BA website and BA app themselves," it said.
BA said there was no breach of privacy. The names, e-mail addresses and telephone numbers of individual claimants are "widely shared" and "they cannot be subject to any reasonable expectation of privacy."
The airline also said that hackers' wrongful access of information doesn't mean that BA engaged in "unauthorized disclosure of information."
Finally, BA said that "incomplete" or "inaccurate" details provided by the claimants don't allow the airline to identify whether the claimants are customers able to sue because their data were obtained or accessed during the data breach.