ba group action
, ,

British Airways data breach group action gets the go-ahead

British Airways (BA) customers have been given permission to launch compensation claims against the airline following a huge data breach in 2018. At the High Court , Mr Justice Warby granted a group litigation order, paving the way for the group action against BA.

What happened in this case?

Last year, almost half a million British Airways customers had their personal data stolen in series of breaches.

Hackers accessed the BA website and mobile app to steal information including card details, addresses, email addresses and travel arrangements. According to an investigation by the Information Commissioner’s Office (ICO), some passengers were taken to a fake website where hackers harvested their details. Also, many customers were forced to change their bank accounts or credit cards.

Earlier this year, the ICO announced its intention to impose a fine of more than £183 million on BA over the breach. The series of hacks, were some of the most severe cyber-attacks in UK history. And they were only possible due to inadequate security arrangements at the airline.

But, while the ICO has the power to impose data breach fines, it does not give this money to victims. That’s why making a compensation claim is so important. Furthermore, we can use the evidence uncovered by the ICO to make a very strong case. So, if your data was put at risk by BA, you should now make a data breach compensation claim.

Join our No Win, No Fee, BA compensation case

At Hayes Connor Solicitors, we have already started a group action claim against British Airways to help victims of this data breach to secure compensation.

We can help you claim compensation for financial losses, as well as for inconvenience and distress. And, following a recent ruling[1], we can now claim on your behalf even if you haven’t suffered financial or emotional damage as a result. The loss of control of your personal information is sufficient grounds to make a claim.

What is a group action case?

A group action claim is where a group of people – sometimes even thousands of people – have been affected by the same issue. Group action cases are also known as class actions or multi-party actions.

With a group action claim, this group of people (the Claimants) collectively bring their cases to court against a Defendant (in this case, British Airways). These victims then fight together to achieve compensation in the High Court of Justice.

Where cases are very similar, group actions can be a powerful tool and can have a bigger impact than a single claim.

Use a data breach expert for the best chance of success

At Hayes Connor Solicitors, we believe that the best way to make big companies pay for their data protection failures is to use a specialist lawyer. Of course, you would expect us to say that – but let us explain why.

We have become a true specialist in data breach law. This is all we do. And, because of this, we have the legal expertise needed to take on big players such as BA, Ticketmaster and Equifax.

In addition to our own legal expertise, we also work with expert barristers to help us win our cases. So, we are confident that our team will get the results you deserve.

Crucially, when it comes to making a compensation claim, a lack of care can leave data breach victims open to advice and representation below the standard expected. And this could see you lose out financially as a result.

Don’t miss out on the compensation you deserve in the BA group action!

Since the data breach, we have been contacted by hundreds of people who were put at risk by BA.

The action that we are taking is still open to you to join. But, as we have already started our group action case, it is vital that you register with us ASAP.

To join our British Airways data breach group action compensation claim, register with us today.


[1] Lloyd v Google

GDPR Weekly Show – Episode 62 – 20th October 2019

Hayes Connor featured on this week’s GDPR podcast with news of our client’s successful data breach claim against his local NHS Trust after it shared confidential details from his medical records without consent (listen from 11 minutes, 13 seconds).

The podcast also features news of the team’s landmark representative action against Equifax worth an estimated £100 million (listen from 28 minutes, 14 seconds).

Hayes Connor issues landmark £100 million data breach claim against Equifax

North West based data breach and cybersecurity specialist Hayes Connor Solicitors is the first in the UK to serve a representative data breach claim in the High Court. The action could see Equifax ordered to pay up to £100 million in compensation to its estimated 15 million UK customers affected by its 2017 data breach.

The action follows the Court of Appeal’s decision on the Lloyd v Google case on 2nd October which ruled that a law firm could bring a claim for compensation for just one affected individual following a data breach and be awarded compensation for the entire affected population.

Kingsley Hayes, managing director at data breach and cybersecurity specialist Hayes Connor Solicitors, said: “We are delighted to be the first firm to issue proceedings following the Court of Appeal’s recent ground-breaking ruling which allows us to pursue the total amount of compensation due to Equifax’s 15 million affected UK customers.

“We estimate the total value of the claim to be £100 million which, if won, Hayes Connor would distribute to all affected individuals. Equifax was found by the ICO to have failed in its data protection obligations on multiple levels including failing to comply with how customers’ personal information can be processed and stored and how that private data should be secured.

“Following hackers successfully accessing its systems in America to steal the personal information of a reported 143 million individuals, the personal data of its UK customers was also exposed including email addresses, usernames, passwords, security questions, phone numbers and credit card details.

“This is the first time that a data breach claim has been issued in the UK on behalf of all affected parties. The Court of Appeal ruling has made it easier for all data breach victims to be fairly compensated.”

Equifax suffered significant financial losses following the data breach which was announced in March 2017 with US lawsuits resulting in the credit report giant fined $290 million and ordered to pay a further $1.4 billion to compensate affected American customers.

The ICO found that Equifax had failed on multiple counts in how it stored, processed and protected its UK customer’s personal information imposing a minimum £500k fine in September 2018 as the breach occurred pre GDPR.

Hayes Connor has instructed Louis Browne QC and Ian Whitehurst of Exchange Chambers in Liverpool in the landmark action.

Hayes Connor Solicitors was recently appointed as data protection supplier to the Communication Workers Union and is currently acting for thousands of claimants with data breach action against Ticketmaster, Equifax, Marriott International, TeamSport, Dixons Carphone and the Police Federation of England and Wales.


Salisbury Journal, 13th October 2019

We were pleased to secure £1,500 for our client after he discovered that his local NHS Trust had breached his data protection rights. His confidential medical files were accessed and information shared with a third party without his knowledge or consent.

Liverpool Business News, 9th October 2019

Liverpool Business News featured news of Hayes Connor’s £multi-million data breach claim against British Airways following its 2018 data breach.  Affected individuals have a 15 month window to join the group litigation for compensation.

Hayes Connor highly commended in Innovative Marketing award

Data breach and cybersecurity specialist Hayes Connor Solicitors was highly commended for its innovative marketing at The Symphony Legal Annual Conference held in Hinckley in September.

The firm was recognised for its client focused approach to marketing with its use of technology to simplify the enquiries process and increase speed of response, alongside its content and PR strategy to raise awareness of consumers’ data protection rights, highly commended. Read more

Today’s Legal Cyber Risk, 13th September 2019

Kingsley Hayes raised concerns about data protection on mobile phones following news that a serious cyber security risk had been exposed affecting one billion smartphones. The significant gap in security was only identified following an independent third party’s research.

Today’s Legal Cyber Risk, 10th September 2019

We commented following the exposure of a data breach by Teletex after it was discovered that thousands of customer calls had been stored unsecured for three years. The calls contained customers’ postal and email addresses, phone numbers and dates of birth. Kingsley Hayes comments that the latest breach is a stark reminder that storing private information in the cloud does not mean that that data is automatically secure. 

SAR Requets
, ,

Metropolitan Police failing to respond to subject access requests

You have the right to find out if an organisation is using or storing your personal data. To exercise this right, all you have to do is ask for a copy of this data. This is called making a subject access request (SAR). The ICO (the UK’s data protection regulator) has been working with the Metropolitan Police Service (MPS) to address its large SARs backlog. However, the MPS has more than 1,100 open requests. With nearly 680 over three months old. The ICO believes that this is a cause for concern.

What has happened in this case?

The ICO has issued two enforcement notices ordering the Metropolitan Police Service to respond to all SARs by September 2019. The regulator has also asked the MPS to “make changes to its internal systems, procedures or policies, so that people are kept up to date on any delays that may affect their data protection rights and how the situation is being addressed.”

The ICO added, “Ultimately, the public must be able to trust that police forces are upholding their information rights, and this case is a reminder to other police forces that we will take action against those organisations that do not comply with their SAR obligations”.

What do you need to know about making a subject access request?

Find out how to make a Subject Access Request on the ICO website.

Crucially, when it comes to making a subject access request, the ICO has stated that there is “no requirement for a request to be in writing”.

What can you use a SAR for?

You can use a SAR to find out:

  • What personal data an organisation holds about you
  • Whether an organisation is processing your personal data
  • How the organisation got hold of your data
  • The types of personal data being processed
  • Why your data is being processed
  • Any third parties that your data is being shared with
  • How long your data will be kept for
  • How you can have your data amended or deleted
  • Whether they use any automated decision-making processes
  • Any other supplementary information.

Of course, it could take longer for an organisation to supply everything they have about you. So, if you only need certain data and you want to speed things up, it makes sense to be specific.

The ICO has provided a handy template to help you to do this.

What else do you need to know about making a subject access request?

  • Organisations should provide contact information for making a SAR. Under the GDPR, this information should be available on an organisation’s website (check the privacy policy usually found in the footer)
  • Requests can be responded to electronically (as long as it is secure)
  • You can ask for a paper copy of the data held about you, but a company only has to provide this if it is reasonable to do so
  • SARs need to be replied to within one calendar month. However, they might need extra time to consider your request and, if so, can take an additional two months to do this
  • Organisations must make you aware of any delays which may affect their requests. They should also explain how the situation is being addressed
  • Organisations can ask for further information to establish your identity, particularly where sensitive data is involved. However, such requests must be “reasonable and proportionate”
  • A copy of your personal data should be provided at no cost to you. Although “reasonable” fees can be charged for manifestly unfounded or excessive requests
  • An organisation can refuse a SAR if they believe it to be ‘manifestly unfounded or excessive’. They may also deny a SAR if your data includes information about another individual. However, they can’t just ignore you. They must still write to you and explain why your SAR is being refused
  • You have a legal right to ‘rectification’ of your records. So, if something in your data is wrong, you can ask to have it corrected. Organisations have one month to respond to your request
  • If you are worried about the way an organisation is handling your information, the ICO has provided a handy letter template to help you to raise your concerns.

What can you do if you don’t believe your SAR has been taken seriously?

If you believe any fees to be unfair, you can complain to the organisation in question. However, if the matter is not resolved, you should report your concerns to the ICO.

If more than a month has passed since you made your SAR, and you have not heard anything back, you should write to the organisation reminding them of your request and their obligations under the GDPR. And, if you still don’t hear back, you should complain to them using their complaints process. And, if you are not happy with their response, you can complain to the ICO.

If you think your request has been rejected unjustly, you can raise a complaint with the organisation in question. And if you remain dissatisfied, the ICO.

If the organisation refuses to change their records, you can complain to the ICO. However, there’s a difference between information that is incorrect and information that you disagree with. For example, if you have a dispute with your doctor over a diagnosis, you can’t change your health records. However, you might be able to add a note to this record stating that you disagree with the medical opinion.

If you believe that an organisation is not handling your data properly, you can also complain to the ICO.

Find out more about Subject Access Requests.

Data protection solicitors

At Hayes Connor Solicitors, we are committed to upholding the data protection rights of our clients. For more advice on your rights, and how to keep your data safe, follow us on Twitter and Facebook.

Alternatively, if you have been the victim of a data breach or cyber fraud, contact us to find out how we can help you to recover any losses.

Teletext data breach exposes risk of cloud storage usage

It was announced last week that Teletext, the trading name for package holiday firm Truly Travel, had risked customers’ personal data following the discovery that 212,000 customer call recordings had been left on an unprotected server for three years*. Read more