, , ,

Should you hold British Airways responsible for its data breach?

data breach

At Hayes Connor Solicitors, we’re helping victims of the British Airways data breach to claim compensation after their personal information was put at risk by the airline.

However, in our work we often hear people talking about how companies like British Airways (BA) should not have to pay for the acts of unscrupulous hackers. And it’s true that cybercriminals are becoming increasingly sophisticated. But this doesn’t let negligent organisations off the hook.

The truth is that in most cases, data breaches happen because of a failure to implement reasonable and robust processes. We believe that this was the case at BA.

As such, claiming compensation isn’t just in your best interests. The only way big organisations will be persuaded to take their data privacy responsibilities seriously and make improvements is by hurting their bottom line.

Brand loyalty is all well and good, but it’s vital that we don’t put the needs of big companies above the rights of their customers.

Crucially, if BA had done everything in its power to protect its customers’ data, and had robust security processes in place, it is unlikely that a claim for compensation would be successful. This is why we usually wait for the results of an investigation by the Information Commissioner’s Office (ICO) before starting a group action.

So, was BA responsible for the data breach? Let’s look at the facts.

  1. British Airways didn’t spot the data breach for two weeks

In September last year, it was revealed that almost 400,000 BA customers had their bank card details stolen in one of the most severe cyber-attacks in UK history.

Worryingly, the hack went undetected for two weeks before BA told its customers about the breach and reported the incident to the police. BA has admitted that the hackers spent more than a fortnight accessing data online and we believe that this is a significant failure by BA – one that increases the risk to passengers substantially.

With 12 days between the BA data breach occurring and the incident being detected, questions have been asked as to whether poor systems made this cyber-attack worse.

  1. British Airways uncovered a second data breach when investigating the first

To make matters worse, when investigating this case, a second data breach was also spotted at the airline.

In this instance, 77,000 people had their names, addresses, email addresses and detailed payment information taken. This included card numbers, expiry dates, and card verification value (CVV) numbers. And, a further 108,000 people had their personal details stolen. This hack could have left customers exposed for months.

  1. Hackers could already have made millions from the British Airways data hack

Russian hackers may have made millions selling credit card details stolen from BA customers. Research has found that stolen data was put up for sale on the dark web about a week after the BA breach. Hackers were charging between £7 and £40 (approximately) for each card’s worth of information.

BA says it has not received reports of fraud resulting from the attack on its own systems.

  1. The British Airways hack might have been caused by the same hackers as Ticketmaster

According to reports, a cyber-criminal operation known as Magecart is behind the recent BA data breach. The group has been very active over the past three years. It is also thought to be behind the Ticketmaster data hack.

A report by RiskIQ states that clues link the same operation to the BA breach. The company said the code found on the BA site was very similar. However, the code was modified to suit the way the airline’s website had been designed. Crucially, if RiskIQ, is right about how the attack worked, a cybersecurity researcher has told the BBC that “BA should have been able to see this”. So the hack could have been very easily prevented.

Worryingly, in the Ticketmaster data breach case:

  • 63% of all the clients we took on suffered multiple fraudulent transactions on their payment cards, and
  • 31% of all our clients involved in this case suffered from distress and/or psychological trauma as a result of having their card details stolen and used in fraudulent activity.

What’s more, it is becoming increasingly clear that the impact and losses people sustain following a data breach are not always immediately apparent. Indeed, in the Ticketmaster data breach, we are starting to see cases where the impact occurred months later. This is often because data stolen is used in batches over time.

So, as yet it’s impossible to say how many people have been impacted by the BA data breach, and to what extent.

  1. British Airways has been accused of not taking its responsibilities seriously following the data breach

Following the BA data breach, the airline said that compensation claims would be discussed on an ‘individual basis’. However, it is not up to the airline to dictate the terms of any compensation payments.

In response, customers took to the media to share their fury at the airline’s handling of the privacy violation.

According to an article in The Metro, one BA customer said “They talk about compensation to be discussed on a case-by-case basis. To me, this seems incredibly unprofessional.”

He added: “They are trying to not take full responsibility for it”.

The same customer is reported to have suffered fraudulent activity on his credit card, which he used to book a BA flight during the time the data was at risk.

Some customers have complained that they have not been contacted by BA about the data breach, despite having seen fraudulent activity on their payment cards. Others have complained about BA advising customers to go to their bank for advice, rather than issuing its own instructions to help travellers stay protected.

One BA customer told the BBC: “I have six cards linked to my BA account. I have no idea how much of my data information has been stolen. I will have to go to each of my credit card providers, cancel the cards, and all the direct debits, etc., related to those cards. This will take a long time, something I have to do with no help from BA”.

Make a British Airways compensation claim with Hayes Connor Solicitors

At Hayes Connor, we want to reduce the number of data violations taking place across the UK.

To do this, we are helping to raise awareness of data breaches and cybercrime, and educating people and businesses to prevent similar infringements from happening. For more advice on how to keep your data safe, follow us on Twitter and Facebook.

But, where a breach has already occurred, it’s vital that you can recover your losses. We could be talking about one of the most severe data breach cases to hit the UK, so it’s critical that people can get the help they need.

To join our British Airways data breach group action compensation claim, you will need to register with us. We’ll let you know what is happening in this case and if and when you can make a BA data breach compensation claim.