The United Kingdom’s High Court has granted a group litigation order, allowing customers affected by British Airway’s (BA) 2018 data breach to launch mass legal action against the airline.
In September 2018, cybercriminals were found to have installed a malicious skimming system on BA’s payment page, which was used to collect names, email addresses and credit card information belonging to more than 500,000 BA customers.
The ruling will allow customers seeking compensation to bring claims against the company. According to reports, there are already more than 5,200 customers being represented by law firms SPG Law and Your Lawyers Limited.
The ruling follows the record-breaking £183m fine issued to the company for the breach, announced by the UK’s Information Commissioner’s Office (ICO) in July.
Under General Data Protection Regulation (GDPR) laws, regulators can fine a company up to 4% of their global annual turnover if inadequate security practices result in the loss of personal information.
The BA fine equated to approximately 1.4% of the company’s annual revenue of £13.02bn in 2018.
BA data breach class-action lawsuit shows consequences go beyond GDPR
BA CEO Alex Cruz said that the company is “surprised and disappointed” in response to the ICO’s decision to issue the record-breaking fine. However, with the BA data breach class-action lawsuit, the incident could end up costing the company far more.
“The news that half-a-million British Airways customers affected by the 2018 Magecart security breach, will be able to join a class-action lawsuit against the airliner, reinforces the power of GDPR in holding organisations accountable following the loss of customer data,” Tony Pepper, CEO of security software company Egress, said.
While the greatly-increased maximum penalty introduced by GDPR has forced businesses to improve their cybersecurity practices, the High Court decision shows that “a substantial fine is not the end of the story”.
For a breach of this magnitude, Pepper estimates that further costs are likely to run into the tens of millions. Reputational, and subsequent loss of business, are likely to add to BA’s misery too.
“Now that class-action lawsuits are possible under GDPR, further legal action initiated by individuals highlights what the true cost of breaching GDPR rules can be for organisations who do not do everything they can to protect customer data,” Pepper said.
“These financial penalties will only add to the existing reputational damage for those companies.”