Lawyers have accused British Airways (BA) of shirking its responsibility for the 2018 data breach, which affected more than 500,000 customers, by trying to narrow the compensation claim window for victims.
The flag carrier has applied to launch its own class action for victims of the breach. However, the conditions say claimants must join within 17 weeks of its opening. The move by the airline is "cynical", said Your Lawyers, which represent claimants as part of a group action for compensation from BA.
"Victims of the breach could receive as much as £16,000 each in cases where psychological injury is extreme, while average compensation payments for the distress suffered by those affected could reach £6,000," said an announcement by Your Lawyers.
"Financial losses from fraud resulting from the hack will also be claimed in addition to compensation for the distress caused to BA’s affected customers."
The Information Commissioner’s Office in July proposed a £183-million penalty on British Airways over the data breach, the biggest fine ever handed out by the ICO and the first to be proposed under GDPR.
"The days where the impact of a breach was limited to a small fine and an apology are long gone," said Javvad Malik, security awareness advocate at KnowBe4.
"Customers and regulators demand a greater level of responsibility from providers to protect and secure their personal and financial information. And any breach of this trust will inevitably lead to bigger impact on companies from lawyers, customers, and regulatory bodies."
According to the lawyer group, hardly 6,000 potential claimants have contacted lawyers form claiming compensation, which is a little over one per cent of the number entitled to claim.
"This is a new low for British Airways, a disgrace. It has let down hundreds of thousands of customers by losing their card payment details. Now it is failing them again by giving everyone affected just 17 weeks to claim rightful compensation for the distress caused," Your Lawyers director Aman Johal said in the announcement.
"Never mind ‘To fly, to serve’, BA should change its tagline to ‘To fly, to swerve responsibility’," he added.
"Previous group litigation orders have been applied for by claimants, not defendants. In large consumer actions such as this, the court would never allow such a short recruitment window (as this would mean that most claimants would miss out on the group litigation orders) unless BA could guarantee that all its affected customers have been notified," said the announcement.
Companies must create and foster a culture of security across the organisation, said Malik.
"Not only will this ensure that security is baked in throughout every step and will likely minimise the likelihood of an attack, but it will ensure measures are put in place on how to respond to a breach and provide the correct information to affected customers and regulators in a timely manner," he added.
Readers affected by the data breach can find out more about receiving compensation here.