The BA case is the first group lawsuit of its kind to be brought under data protection rules known as GDPR that were introduced in 2018 © AFP via Getty Images

British Airways is facing the largest group claim over a data breach in UK legal history following a 2018 incident that exposed details of more than 400,000 of its customers.

More than 16,000 customers have joined the case ahead of a March deadline to sign up to the action, according to PGMBM, the lead solicitors in the group litigation case.

The update comes after BA indicated it was prepared to settle claims in a letter filed with the court last week and seen by the Financial Times.

The breach exposed the personal and financial data of more than 400,000 customers, and led to a £20m fine from the UK’s data protection regulator in October, down from an initial fine of £183m.

The lawyers said victims could each be compensated up to £2,000, based on previous court rulings, leaving BA facing a total bill of more than £800m if every victim came forward.

“We continue to vigorously defend the litigation in respect of the claims brought arising out of the 2018 cyber attack,” BA said.

“We do not recognise the damages figures put forward, and they have not appeared in the claims,” it added.

The Information Commissioner’s Office said the attacker potentially accessed sensitive information of BA customers, including names, addresses, payment card numbers and CVV codes.

It pointed to measures the airline could have taken to reduce the risk, such as the testing of its cyber-defences.

Still, it noted that BA had “considerably” improved its cyber security since.

Tom Goodhead, a partner at PGMBM, said BA had presided over a “monumental failure”.

“We trust companies like British Airways with our personal information and they have a duty to all of their customers and the public at large to take every possible step to keep it safe.”

The BA case is the first group lawsuit of its kind to be brought under sweeping data protection rules known as GDPR introduced in 2018.

It is also the largest “opt-in” claim in relation to a UK data breach.

It comes after 9,000 Wm Morrison employees unsuccessfully sued the supermarket after sensitive payroll data was leaked in 2014 by a disgruntled staff member.

Morrisons was found responsible by the Court of Appeal but overturned the decision at the UK’s highest court in April last year.

Ian De Freitas, a partner at law firm Farrer & Co, specialising in data protection litigation, said the BA case was “the one everybody is watching . . . this is going to be a seminal case”.

It is likely to determine the future of similar claims including a legal action against easyJet brought by thousands of customers following a cyber attack last year.

Group litigation orders are the most common vehicle for group claims in the UK and individuals must volunteer to join in order to be eligible for compensation, unlike American class action lawsuits in which affected customers are automatically added.

Such “opt-out” claims could become more common in the UK in the wake of a Court of Appeal ruling in 2019 that allowed consumer champion Richard Lloyd to bring a claim against Google on behalf of about 4m Apple iPhone users. Google has since won permission to appeal the ruling in the UK Supreme Court.

The continuing fallout from the data breach comes as BA faces continuing heavy disruption from the coronavirus pandemic.

The airline last month secured a government guarantee for a £2bn loan to help it prepare for a recovery in air travel as vaccines are rolled out.

Get alerts on British Airways PLC when a new story is published

Copyright The Financial Times Limited 2021. All rights reserved.
Reuse this content (opens in new window)

Follow the topics in this article