British Airways Data Breaches
In 2018, British Airways (BA) suffered two data breaches, one between April and July and another between August and September. In the first incident, around 185,000 BA reward booking customers had their personal information and financial details exposed. As for the second incident, 380,000 users of BA’s app and website had account information stolen. Like several other travel industry businesses, BA failed to learn lessons from the first breach and thus suffered a second. BA revealed the breaches in September 2018 when it disclosed that information belonging to over 420,000 victims had been compromised. The data leaked included names, billing addresses, email addresses and credit card information. With regards to the latter, card numbers, expiry dates and the CVV security codes of 244,000 people were exposed. Fortunately, victims’ passport details were not compromised. Both BA customers and staff were victims of the breaches.
ICO Fines
In July 2019 the UK’s Information Commissioner’s Office (ICO) issued BA a notice of its intention to fine them for having inadequate security measures. The ICO ruled the way BA had treated logins, payment and booking information was in violation of data protection laws. Given the scale of customer data involved, the ICO initially intended to fine BA £183 million for failing to keep this data secure. However, the penalty was later slashed to £20 million (approximately $26 million) in light of BA representations. Also taken into consideration was the Covid-19 pandemic’s impact on the business, and the travel industry as a whole. Nonetheless, the fine is the largest ever issued by the ICO since the introduction of the GDPR in May 2018.
BA Allegedly Considering Settlement
As well as the fine, similarly to SolarWinds, BA now faces a class action lawsuit from its victims. However, to try and avoid litigation costs, BA is reportedly considering entering settlement discussions. According to consumer action law firm, Your Lawyers, settlement discussions are to begin in the first quarter of this year. Your Lawyers were appointed to the Steering Committee responsible for the BA data breach litigation in 2019. The law firm further states that BA’s willingness to discuss a settlement, indicates their acceptance of culpability for the breaches. “News that British Airways wants to settle compensation claims, with negotiations set to take place in the first quarter of 2021, is acknowledgement of its wrongdoing in failing to protect customer data,” said Aman Johal, director at Your Lawyers. If it’s true that BA wish to settle rather than go to court, BA is facing an enormous compensation payout. It has been reported that victims could potentially get an average compensation amount of £6,000 each. This could bring the total compensation bill to over £2.4 billion, as financial losses arising from the breach could also be claimed.
BA’s Response to the Settlement Claim
In response to Your Lawyers’ claims, BA stated: “We continue to deny liability in respect of the claims brought arising out of the 2018 cyber attack and are vigorously defending the litigation. We do not recognize the damages figures that Your Lawyers has put forward, and they have not appeared in the claims.” The settlement claim comes soon after BA received a £2 billion loan backed by the UK government. The loan has been made possible by a state guarantee designed to help UK businesses post Brexit. According to BA’s parent company, International Airlines Group (IAG), the loan “will be used to enhance liquidity and provide British Airways with the operational and strategic flexibility to take advantage of a partial recovery in demand for air travel in 2021 as Covid-19 vaccines are distributed worldwide.” However, some feel that the loan will be used to help pay the possible compensation bill.