British Airways Faces £Multimillion Fine

British Airways faces the threat of legal action over the unprecedented data breach that saw 380,000 passengers’ bank details stolen. The airline is already facing a fine of up to £500 million from the Information Commissioner’s Office for the breach. Under the European General Data Protection Regulation companies can be fined up to £17 million or four per cent of global turnover, whichever is bigger.

Last year BA’s total revenue was just over £12.2 billion, meaning it could face a fine of £489 million if the ICO takes action.

A law firm specialising in challenging big companies now claims that each passenger may be able to claim £1,250, potentially costing the carrier £475 million.

BA has already said it will compensate passengers for any financial loss, including money stolen from bank accounts. The airline has also pledged to pay for a 12-month credit-rating monitoring service for those affected. BA said: “The airline has guaranteed that financial losses suffered by customers directly because of the theft of this data from British Airways will be reimbursed.”

However, legal firm SPG Law said that it was seeking compensation on behalf of passengers for the “inconvenience, distress and misuse” of their private information.

The UK arm of the US giant Sanders Phillips Grossman claimed that BA should also pay for non-material damage, saying that it was a requirement under the Data Protection Act 2018 and General Data Protection Regulation (GDPR), which came into force in May.

The firm said that its US parent company had already acted against companies including Yahoo, Wendy’s, Target and Anthem over data breaches. A criminal inquiry into the incident is being led by specialist officers from the National Crime Agency. The ICO is carrying out its own investigation.

SPG Law told the newspaper that it had sent a “letter before action” to BA asking it to begin settlement discussions. The letter says that any failure to do so would be followed by an application for a group litigation order to allow the courts to manage a number of claims against the airline together. Partner Tom Goodhead reportedly said: “Unfortunately, this is the latest in a number of catastrophic failures in BA’s IT systems.

“Unlike previous failures, however, this data breach has caused serious inconvenience and distress to nearly 400,000 people. BA is liable to compensate for non-material damage under the Data Protection Act 2018 and SPG Law will hold it to account.”

BA was warned earlier this year that it was vulnerable to hackers, according to reports over the weekend.
The airline said that the breach was the result of a “very sophisticated, malicious criminal attack on our website”.
Chairman and chief executive Alex Cruz stressed that the carrier acted as quickly as it could.

“We became aware initially on that day and we began to work on it,” he said. “We discovered that something had happened, and immediately we began to work.”

He apologised for the failure, adding that BA was “100% committed” to compensating customers who had been financially affected.

BA admitted that 380,000 customers’ bank details could have been stolen from its website and app. Passengers’ data had been compromised from 10.58pm on August 21 until the breach was discovered and stopped at 9.45pm on Wednesday 5th September.

Travel Weekly

You Might Also Read: 

British Airways Data Breach:

 

« N. Korean Hacker Fingered For Wannacry Attacks
UK Victims Lose £28m To Cybercrime In 6 Months »

Infosecurity Europe
CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

Directory of Cyber Security Suppliers

Directory of Cyber Security Suppliers

Our Supplier Directory lists 7,000+ specialist cyber security service providers in 128 countries worldwide. IS YOUR ORGANISATION LISTED?

Infosecurity Europe, 3-5 June 2025, ExCel London

Infosecurity Europe, 3-5 June 2025, ExCel London

This year, Infosecurity Europe marks 30 years of bringing the global cybersecurity community together to further our joint mission of Building a Safer Cyber World.

CYRIN

CYRIN

CYRIN® Cyber Range. Real Tools, Real Attacks, Real Scenarios. See why leading educational institutions and companies in the U.S. have begun to adopt the CYRIN® system.

Clayden Law

Clayden Law

Clayden Law advise global businesses that buy and sell technology products and services. We are experts in information technology, data privacy and cybersecurity law.

XYPRO Technology

XYPRO Technology

XYPRO is the market leader in HPE Non-Stop Security, Risk Management and Compliance.

InformationWeek

InformationWeek

InformationWeek is the world's most trusted online community for business technology professionals like you.

Odyssey

Odyssey

Odyssey is an ISO 27001 certified, Cyber -Security, Infrastructure and Risk Management Solutions integrator and a Managed Security Services Provider.

Emirates International Accreditation Center (EIAC)

Emirates International Accreditation Center (EIAC)

EIACI is the national accreditation body for the United Arab Emirates. The directory of members provides details of organisations offering certification services for ISO 27001.

Recruit.net

Recruit.net

Recruit.net allows job seekers to instantly find millions of jobs from thousands of web sites with a single search.

EOL IT Services

EOL IT Services

EOL IT Services is the UK’s most accredited provider of IT Asset Disposal (ITAD), Lifecycle Services and Data Destruction.

CyberFortress

CyberFortress

CyberFortress is an insuretech startup offering a new kind of online business interruption policy designed for small business.

IEEE Cyber Science and Technology Congress (CyberSciTech)

IEEE Cyber Science and Technology Congress (CyberSciTech)

CyberSciTech provides a platform for scientists, researchers, and engineers to share their latest ideas and advances in the broad scope of cyber-related science, technology, and application topics.

CM Blockchain Security Center

CM Blockchain Security Center

We are dedicated to building a healthier blockchain ecosystem, providing solutions to security technology, and helping those who practice in the area of blockchain to get insight into industry trends.

FifthDomain

FifthDomain

We are a specialist cyber security education and training company tackling the global cyber security skills shortage.

Yellow Brand Protection

Yellow Brand Protection

Yellow Brand Protection operates 24/7 to protect brands' Intellectual Property (IP) from infringements on all kinds of online distribution channels.

Eureka Security

Eureka Security

Eureka help organizations securely use any cloud data storage technology they need without having to compromise on security.

Purism

Purism

Purism works with hardware component manufactures and the free software community to build high quality hardware that respects your digital life.

SpireTec Solutions

SpireTec Solutions

SpireTec Solutions is an IT management training company offering 1500+ courses with state of art training facilities backed by a team of industry experts in various domains including cybersecurity.

OneZero Solutions

OneZero Solutions

OneZero specialize in cybersecurity operations, information assurance, computer network operations, solutions engineering, and project management.

Relatech

Relatech

Relatech is a Digital Enabler Solution Knowledge (D.E.S.K.) Company that offers digital services and solutions dedicated to the digital transformation of businesses.

Yondu

Yondu

Yondu empowers businesses across various industries through a wide array of innovative technology solutions to help them scale in the new digital economy.