British Airways parent IAG has disclosed that the cyber attack announced last month affected even more customers than previously thought – an added 185,000 may have had their data accessed.
In a a stock exchange announcement, IAG revealed that an internal probe had turned up evidence of another breach earlier in the year, affecting two groups of customers between April 21 and July 28, 2018.
All 185,000 may have had their personal data exposed, including name, billing address, and email address. In 77,000 of these cases, payment card information was also potentially leaked, including card number, expiry date and CVV number.
IAG also revealed that of the 380,000 payment card details identified as at risk in the later breach (which occurred between August 21st and September 5th), only 244,000 were ‘affected’. That still puts the total at over 400,000.
“While British Airways does not have conclusive evidence that the data was removed from its systems, it is taking a prudent approach in notifying potentially affected customers, advising them to contact their bank or card provider as a precaution,” IAG said. “Since the announcement on September 6, 2018, British Airways can confirm that it has had no verified cases of fraud.”
However, the breaches still leave the company facing fines – but perhaps more significantly, they also leave it facing a group litigation order, or class-action lawsuit.
While the chances of BA being charged the maximum fines for regulatory noncompliance (GDPR or PCI DSS-related) are not high, the group litigation order could see claimants paid as much as £1,500 each, “and in many instances significantly more”.
Individually, that’s hardly a prince’s ransom. But if even half the customers who potentially had their details exposed were to join, a successful suit could cost BA hundreds of millions in payouts.
Class-action lawsuits for data breaches are far more common in the United States than in the United Kingdom. They’ve resulted in substantial settlements – for example, following its 2013 breach, Target agreed on a settlement of $10 million to customers, as well as reimbursing plaintiffs’ attorneys’ fees and expenses up to $6.75 million, and settling with MasterCard on behalf of affected card issuers for $19 million. The majority of the US’s data breach lawsuits, however, are unsuccessful.
The BA lawsuit isn’t the only one on the cards – following the leak of payroll data by a former employee, Morrisons is facing the UK’s first data leak class action. In December last year, the High Court found the supermarket liable for the leak, a decision which was recently upheld by the Court of Appeal despite Morrisons’ challenge. The company now plans to take the challenge to the Supreme Court – but the way the case has unfolded suggests stormclouds on the horizon for British Airways.
Addendum, November 2018: Since the publication of this post, SPG Law have changed their estimate of compensation from £1,500 to “thousands or possibly tens of thousands”.