MIAMI – British Airways (BA) has settled a lawsuit filed by customers and employees who were victims of a data breach in 2018. The event harvested names, debit and credit card details, postal addresses, and email addresses over a 15-day period.
The parties did not disclose the amount of the out-of-court settlement. The agreement does not include any admission of guilt or liability on BA’s part.
British Airways said, “We apologized to customers affected by this issue. And we are pleased we’ve been able to settle the group action. When the issue arose we acted promptly to protect and inform our customers.”
The airline suffered a Magecart-style hack on its payment processing infrastructure in 2018. That hack diverted unsuspecting victims to a malicious website that harvested customer information. Also potentially harvested were the login credentials of BA employee and Executive Club accounts.
An article on portswigger.net says that as of January, 16,000 victims had joined the suit making it the the largest group action personal data claim in UK history.
A website set up by PGMBM, the law firm handling the suit, quoted several victims, saying that the incident had damaged their credit scores.
“The response from BA was not good enough,” said the firm. “BA offered a reimbursement for customers who suffered ‘direct financial losses’ and ‘credit rating monitoring’ for those affected. But it but did not consider the future repercussions that customers could suffer.”
The law firm also took aim at BA’s security measures saying that the airline failed to implement inexpensive, technically simple security measures such as “rigorous testing”, protecting accounts with multi-factor authentication, or “limiting access to applications, data and tools to only those required to fulfill a user’s role.”
However, PGMBM acknowledged that BA has since “made considerable improvements to its IT security.”
Featured image: British Airways Boeing 787-8 Dreamliner G-ZBJM. Photo: Brandon Farris/Airways