British Airways (BA) has settled a class-action lawsuit over a major data breach on confidential terms, after 429,612 customers had their personal data stolen in a 2018 card skimming attack. The airline failed to detect that its website had been tampered with for two months.
The BA data breach settlement does not include any admission of liability by the flagship carrier, which has also had to pay the ICO a £20 million fine. The settlement for an undisclosed sum was announced by solicitors PGMBM, whose chairman Harris Pogust described it as an "extremely positive and timely solution for those affected by the data incident.”
See also: Security leaders need to focus on core discipline, embracing AI, and consolidating to critical tools
The names, debit and credit card numbers, addresses, and email addresses of BA customers were leaked after the data breach, following a Magecart-style card skimming attack on the flagship carrier's website in 2018 – which required just 22 lines of code to execute.
The attackers stole the personal data of approximately 429,612 customers and staff, the ICO found, including the names, addresses, payment card numbers and CVV numbers of 244,000 BA customers.
The Information Commissioner's Office (ICO) said in an October 2020 report that its investigators "found BA ought to have identified weaknesses in its security and resolved them with security measures that were available at the time."
BA data breach settlement: solicitors eye easyJet
As well as being the court-appointed lead solicitors in the British Airways’ data breach case, PGMBM is also representing growing numbers of claimants in a case relating to a data breach by easyJet, first revealed in May 2020. The breach saw nine million passengers’ data exposed, including names, email addresses, and travel information.
Solicitors Leigh Day are among those representing claimants on a no-win, no-fee basis in that case. Their FAQs suggest "the value of affected customers’ compensation claims is likely to vary from hundreds of pounds to over a thousand pounds in the more serious cases."
Harris added: “The pace at which we have been able to resolve this process with British Airways has been particularly encouraging and demonstrates how seriously the legal system is taking mass data incidents. This is a very positive sign as we look ahead to what will be an even bigger case against easyJet relating to their 2020 data breach."
Information Commissioner Elizabeth Denham said in the ICO's October 2020 report: “People entrusted their personal details to BA and BA failed to take adequate measures to keep those details secure.
"Their failure to act was unacceptable", she added, with ICO investigators noting that BA could have deployed "numerous measures... to mitigate or prevent the risk of an attacker being able to access the BA network. These include: limiting access to applications, data and tools to only that which are required to fulfil a user’s role; undertaking rigorous testing, in the form of simulating a cyber-attack, on the business’ systems; protecting employee and third party accounts with multi-factor authentication."