BA data breach draws UK’s largest ever group claim – a victim writes

All images by the author

One sunny afternoon in September 2018, when I was working in Italy, I received an email from British Airways (BA). It informed me that the company had suffered a data breach and my personal and financial details may have been compromised. Later that evening a second email confirmed that my details were amongst those that had been affected. By then I had already changed all relevant passwords. BA offered me some free protective software but I already had some installed on my laptop. And, as I suspected, it was already too late – my personal information was out there.

In the year that followed the data breach, my credit card (the one I had used for all BA bookings) was cloned 3 times. Fortunately, my provider is vigilant and all rogue transactions were detected and payment refused. But each time my card had to be stopped immediately and I had to wait for a new one to be issued. The inbox of the emails associated with BA suffered a tidal wave of spam, scams and phishing emails. It was my first experience of the latter. These vicious attempts to extort money threaten to destroy websites and wipe out email inboxes. As both are essential to my work it was very distressing. I had to wonder why a company as solid as BA had been subject to a major security breach.

How the BA Data Breach Occurred

Alex Cruz was CEO of the low-cost airline Vueling, when he was appointed by Willie Walsh then CEO of BA’s holding company, International Airline Group (IAG). His brief was to cut BA’s costs. Cruz closed down the airline’s computer department making 700 employees redundant.  He outsourced the airline’s computer systems to India, a decision that backfired. A few months later BA’s systems went down and many flights were cancelled. When the system was hacked, an estimated 400,000 customer records were affected. The airline was subsequently threatened with a massive fine of £183 million. This was later reduced to £20 million by the Information Commissioner’s Office.

Initially, BA offered compensation to customers who suffered a direct financial loss due to the date breach but nothing for stress and distress relating to it. The company is now facing a group action claim.

The Group Action Claim

In simple terms a group action claim is a legal action brought by a group of people affected by the same incident. Instead of each individual bringing a separate claim the courts can deal with all the claims in one action. The law firm PGMBM are the lead solicitors in this group litigation case and have been advertising widely for BA customers affected by the breach to sign up with them. Those wanting to join this group action must be able to produce evidence that they received emails from BA at the time of the breach informing them that their personal data was affected. To date more than 16,000 customers have joined the case. There is a deadline of 2 April 2021 to join this action which will be pursued on a ‘no win no fee’ basis.

No Win No Fee Actions

A no win no fee action is based on the premise that a fee will not be charged should the action fail. Instead, it will be subject to an agreement that the litigant will pay a percentage of any damages won – generally around a third of the total amount received in compensation. No win no fee agreements are complicated and all documentation should be checked carefully to ensure anyone signing up for this type of agreement understands exactly what is involved. Generally, a no win, no fee action means less risk and a higher level of compensation.  These actions have a good success rate.

The Group Claim Against BA

BA is threatened with the largest ever group claim concerning a data breach in the UK’s legal history. It is also the first group lawsuit to be brought under the sweeping General Data Protection Rules that were introduced in 2018. According to Tom Goodhead, a partner at PGMBM, the airline had presided over a “monumental failure”.

Publicity surrounding this group action is suggesting victims could be receive between £6,000 and £16,000 in compensation but, in reality, the amount is more likely to be around £2,000.

At a Case Management Conference in November 2020, the judge set down directions and a timetable for the case to proceed. The initial trial to decide if BA were at fault regarding the data breach is expected to take place in June 2022. If BA is found to be liable in this trial, it will be followed by another trial to determine damages to be awarded to the various claimants.

BA says “We continue to vigorously defend the litigation in respect of the claims brought arising out of the 2018 cyber-attack.” So far there is no sign of an out of court settlement as suggested by some sources. Unless an out of court settlement is agreed – that is, an agreement to pay damages without the case being heard in court – we can expect this action to last at least 2 years.

Anyone wishing to join the group action can contact PGMBM by email at or call them on 0333 015 5900.