BA customers given the green light for class-action lawsuit over 2018 data breach
Half-a-million BA customers affected by 2018 Magecart security breach can join class-action lawsuit, High Court rules
As many as half-a-million customers are set to take advantage of the class-action lawsuit provisions of GDPR to sue airline British Airways over its 2018 data breach.
The green light was signalled by Justice Mark Warby in a hearing at the High Court in London on Friday, with the grant of a group litigation order enabling a mass legal action against British Airways to go ahead.
The legal action will add to the already high costs to BA of the Magecart security breach of August and September 2018 when the company's payment pages were hacked.
In July this year, the Information Commissioner's Office (ICO) proposed a £183 million fine on British Airways. The proposed fine was the first levied in the GDPR era, empowering the ICO to levy fines on companies of up to four per cent of global turnover for data breaches. The BA fine represents 1.5 per cent of the company's global turnover.
Before the introduction of GDPR, the maximum fine for a data breach stood at £500,000, with 20 per cent off for early payment. "The ICO's investigation has found that a variety of information was compromised by poor security arrangements at the company, including log-in, payment card, and travel booking details, as well name and address information," the ICO explained in a statement.
The compromise occurred between 21 August and 5 September 2018. Attackers were able to inject malicious Javascript into the company's payment pages, used by both its online ecommerce portal, as well as its mobile app. The Javascript exfiltrated customer information to servers controlled by the attackers.
Categorised as a Magecart attack, British Airways is one of possibly thousands of victims in recent years. Hotel chain Marriott was also notified by the ICO of an intention to levy a £99 million fine over a November 2018 data breach just a day after BA received its notification.
And class-action law suits are also a new feature of the GDPR era.
Writing for Computing back in December 2016, data privacy expert and FieldFisher director Dr Kuan Hon warned about the possibility of class-action lawsuits adding to company's costs following data breaches.
"'Class actions' will be another possibility under the GDPR, in the sense of quasi-class-actions brought by non-governmental organisations on behalf of individuals," she wrote.
"Class actions for data protection breaches are not common in the UK at the moment, but if you're a controller or a processor of personal data, you should be concerned about the potential for these quasi-class actions in the future."