Originally Posted by
bisonrav
It's kind of foolish not to sign up as it's a bet to nothing, but it's also naive to expect BA to be making statements to individuals or making gestures that might imply guilt. Whatever your status or historical spend.
Those people saying they just want it to be stuck to BA will be happy to know that that is exactly what GPDR does. And while BA are on the hook for 4% turnover everything they say or do will be subject to detailed legal review and staff will have been told to stick strictly to the agreed form of words. No exceptions. That means slow and tortuous comms. AMEX can react far faster.
I'm sure many people here are senior in organisations and would understand that that is how these situations work.
And also that 'there but for the grace of God...' Most if not all organisations are vulnerable to cybercrime. Most employees of those companies at some level create vulnerabilities usually for convenience day to day. BA happen to have been targetted because of its scale. but that doesn't imply they are unusually slapdash or that this is a result of cost cutting. This was a permissions/access hack, not an infrastructure problem (according to what is known).
You won't be surprised to know that I hold a slightly different view, other than I do agree with you that they won't admit guilt (even though, to misquote Lieutenant George. "They're as guilty as a puppy sitting next to a pile of poo")
However, none of this stops them from responding to letters, and yes I do believe in this case that any good business would prioritise a response to the customers who have so consistently shovelled piles of cash their way. That's what I would do.
Once a situation has happened, the organisation must take proactive control of the situation, through regular comms and showing that they do care about their impacted customers. Burying heads in the sand doesn't work in the world of instant comms, social media, and raised customer expectations. If they had been better at comms, then maybe some of the people on this thread would have given them the benefit of the doubt and not signed up to the class action.
Also, there is nothing to stop them providing some token of acknowledgement of the situation - this shows no admission of liability per se.
On your final point, just to be clear, whether it's infrastructure, access permissions, poor code quality, code versioning etc, these things are all clearly covered under the legislation. Access permissions are covered by the "Principle of Least Privilege" which all big organisations with external-facing services must abide by. Unless this kind of hack is completely new, then what happened will have been preventable by various best practices to cyber security. Both anecdotally, and through conversations which those who have worked in this area with BA, this was waiting to happen.