Go Back  FlyerTalk Forums > Miles&Points > Airlines and Mileage Programs > British Airways | Executive Club
Reload this Page >

BA data theft: should I join the class action suit?

Old Oct 27, 2018, 12:42 am
FlyerTalk Forums Expert How-Tos and Guides
Last edit by: T8191
This thread relates to SPG Law's proposed Group Proceedings against British Airways, in respect of the Data Protection Act 2018 (which incorporates the GDPR).
There is a separate thread that relates to the actual data breaches and their implications for customers, which is to be found here: BA Investigating Theft of Personal and Financial Data

The one law firm that currently seems to be persuing a Class Action against BA is SPG. They have a specific site set up at https://www.badatabreach.com/ - please make sure you check all the FAQs and terms and conditions and make sure the Class Action is right for you before you sign up.

* SPG is now PGMBM.
* Payments are being made through Shieldpay, who are seeming to be both lethargic and/or inept.
Print Wikipost

BA data theft: should I join the class action suit?

Old Oct 27, 2018, 3:53 am
  #46  
 
Join Date: Jul 2005
Location: London, ARN, HEL, ..... or MAN
Programs: BA GGL / GFL, Mucci Diamond!, HH Diamond, Radisson Premium, IHG Gold, Hertz Gold
Posts: 5,845
Originally Posted by bisonrav
It's kind of foolish not to sign up as it's a bet to nothing, but it's also naive to expect BA to be making statements to individuals or making gestures that might imply guilt. Whatever your status or historical spend.

Those people saying they just want it to be stuck to BA will be happy to know that that is exactly what GPDR does. And while BA are on the hook for 4% turnover everything they say or do will be subject to detailed legal review and staff will have been told to stick strictly to the agreed form of words. No exceptions. That means slow and tortuous comms. AMEX can react far faster.

I'm sure many people here are senior in organisations and would understand that that is how these situations work.

And also that 'there but for the grace of God...' Most if not all organisations are vulnerable to cybercrime. Most employees of those companies at some level create vulnerabilities usually for convenience day to day. BA happen to have been targetted because of its scale. but that doesn't imply they are unusually slapdash or that this is a result of cost cutting. This was a permissions/access hack, not an infrastructure problem (according to what is known).




You won't be surprised to know that I hold a slightly different view, other than I do agree with you that they won't admit guilt (even though, to misquote Lieutenant George. "They're as guilty as a puppy sitting next to a pile of poo")

However, none of this stops them from responding to letters, and yes I do believe in this case that any good business would prioritise a response to the customers who have so consistently shovelled piles of cash their way. That's what I would do.

Once a situation has happened, the organisation must take proactive control of the situation, through regular comms and showing that they do care about their impacted customers. Burying heads in the sand doesn't work in the world of instant comms, social media, and raised customer expectations. If they had been better at comms, then maybe some of the people on this thread would have given them the benefit of the doubt and not signed up to the class action.

Also, there is nothing to stop them providing some token of acknowledgement of the situation - this shows no admission of liability per se.

On your final point, just to be clear, whether it's infrastructure, access permissions, poor code quality, code versioning etc, these things are all clearly covered under the legislation. Access permissions are covered by the "Principle of Least Privilege" which all big organisations with external-facing services must abide by. Unless this kind of hack is completely new, then what happened will have been preventable by various best practices to cyber security. Both anecdotally, and through conversations which those who have worked in this area with BA, this was waiting to happen.
oxtailsoup and pomkiwi like this.
ThatT1Feeling is offline  
Old Oct 27, 2018, 4:02 am
  #47  
 
Join Date: Jul 2005
Location: London, ARN, HEL, ..... or MAN
Programs: BA GGL / GFL, Mucci Diamond!, HH Diamond, Radisson Premium, IHG Gold, Hertz Gold
Posts: 5,845
Originally Posted by PUCCI GALORE
I'm like HIDDY and I want to know who is paying for this. Maybe I have not seen it, but how many people anywhere have been robbed of their cash as a result of this? .Yes, I have suffered inconvenience and yes I was vexed but you will excuse me if I do join in the general frenzy, but I've far greater concerns to occupy my waking hours.
For me, the important thing is that BA comes out of this by starting to take Cyber Security seriously. At the moment, they store my (and probably your) name, address, passport number, flight details, date of birth, address when in some other countries, credit card number, and those of all of my immediate family.

This episode has shown that these details are more vulnerable than they should be and I would hope that you, like me, would want your very personal details better protected. I'm totally not in it for the money. For me, the knowledge that my very personal data is better protected provides me with far more value than 1k or less from any legal action.
PUCCI GALORE likes this.
ThatT1Feeling is offline  
Old Oct 27, 2018, 4:25 am
  #48  
 
Join Date: Dec 2016
Programs: BAEC GGL/CR; Hilton Diamond; Mucci des Puccis
Posts: 5,517
What sort of business are you involved in @ThatT1Feeling? What sort of an impact would losing 4% of your revenue have on it? Do you think you would allow employees to send out ANY messaging that was not rigorously checked by lawyers if there were the remotest risk of prejudicing a defence?

The answer is clearly no. It doesn't matter what individuals spend is. BA are probably concerned about customers, but their duty is to shareholders. And rightly so.

The slightly depressing thing here (I work to some degree on cybersecurity) that the bluster and posturing about "bad old useless BA cutting costs and not looking after our data, cost cutting/Cruz blah blah blah, is obscuring some basic and very important facts: this looks like it was about human factors (access/permissions/review processes) rather than cost. Most if not all companies are subject to similar issues, because employees are fallible. If you don't believe me, drop a USB stick in your company car park with a script that emails you when it's inserted. And wait for the email.

This should be a wake up call to everyone. Because it could very well be your business who is facing an existential threat from GDPR fines, and being subjected to ambulance chasing claims. In such cases, you would be telling your staff to stick strictly to the legally approved forms of words. Instead it's becoming a stick to hit BA with for other perceived wrongs and lessons are not being drawn.

But on the substantive issue, not being in the class action is the worst of all worlds. It loses: no effect. It wins: compensation is fixed at a top limit and shared, this is ultimately paid for by customers one way or another so you might as well get a share. The ambulance chasers don't care that this will be peanuts, as their 35% won't be.

bisonrav is online now  
Old Oct 27, 2018, 4:29 am
  #49  
 
Join Date: May 2016
Location: UK
Programs: British Airways Executive Club Gold, Global Entry
Posts: 363
Originally Posted by ThatT1Feeling
For me, the important thing is that BA comes out of this by starting to take Cyber Security seriously. At the moment, they store my (and probably your) name, address, passport number, flight details, date of birth, address when in some other countries, credit card number, and those of all of my immediate family.

This episode has shown that these details are more vulnerable than they should be and I would hope that you, like me, would want your very personal details better protected. I'm totally not in it for the money. For me, the knowledge that my very personal data is better protected provides me with far more value than 1k or less from any legal action.
Agree with this. It's not about the 1500 (minus 15%) or whatever for me, it's about BA having a sufficient punishment to make it worth their while to ensure it doesn't happen again. Under current management they have a short term share price culture. A bill approaching half a billion GBP that gains them nothing but is simply punishment for having a poor IT infrastructure, will suddenly make a half a billion investment into IT look like the right thing to do.

It's the only language they understand!

It would be awesome if we were able to organise our own FT class action. There must be some lawyers in our ranks. They could take 5-10% for costs and profit and we could donate another 5-10% to charity - possibly even the BA charity. Anyone out there??
lhrpete likes this.
FeedbirdNiner is offline  
Old Oct 27, 2018, 4:31 am
  #50  
 
Join Date: Dec 2016
Programs: BAEC GGL/CR; Hilton Diamond; Mucci des Puccis
Posts: 5,517
Also strictly speaking the stored details were not compromised - data was scraped off a data entry form. You will routinely be entering the same data into other online forms, BA somehow allowed their web code to be edited without proper review. The underlying data appears to be uncompromised. I appreciate this is a fine distinction, but it's important in understanding where the blame lies.

On the other hand, the CX breach looks much more that the underlying database was compromised, though I haven't looked at the detail of that.
bisonrav is online now  
Old Oct 27, 2018, 4:33 am
  #51  
 
Join Date: Dec 2016
Programs: BAEC GGL/CR; Hilton Diamond; Mucci des Puccis
Posts: 5,517
Originally Posted by FeedbirdNiner
Agree with this. It's not about the 1500 (minus 15%) or whatever for me, it's about BA having a sufficient punishment to make it worth their while to ensure it doesn't happen again. Under current management they have a short term share price culture. A bill approaching half a billion GBP that gains them nothing but is simply punishment for having a poor IT infrastructure, will suddenly make a half a billion investment into IT look like the right thing to do.

It's the only language they understand!

It would be awesome if we were able to organise our own FT class action. There must be some lawyers in our ranks. They could take 5-10% for costs and profit and we could donate another 5-10% to charity - possibly even the BA charity. Anyone out there??
So this is exactly what GDPR fines do. Whenever anyone says it's not about the money (or the avios), it usually is.
Markie and FeedbirdNiner like this.
bisonrav is online now  
Old Oct 27, 2018, 5:01 am
  #52  
 
Join Date: Sep 2013
Programs: BAEC Gold, EK Skywards (enhanced Blue !), Oman Air Sindbad Gold
Posts: 6,382
Originally Posted by PUCCI GALORE

.....................................

I'm like HIDDY and I want to know who is paying for this. Maybe I have not seen it, but how many people anywhere have been robbed of their cash as a result of this? .Yes, I have suffered inconvenience and yes I was vexed but you will excuse me if I do join in the general frenzy, but I've far greater concerns to occupy my waking hours.
Goodness me dear PUCCI ...... when you say youre like HIDDY on this, youre referring to an FT member who - on his own admission just the other day - hasnt actually travelled anywhere in the last three years (an embargo imposed by his good wife, seemingly). Little wonder then, that when BA advise of data breaches potentially affecting customers who have made bookings between various specified dates durung the past few months, it is all of zero concern to HIDDY, and indeed any others who have had no occasion to do business with BA. Or .....as he puts it himself : I couldnt give a monkeys about it .....

Like yourself PG, I too have many other issues and activities to occupy my waking hours ; which is precisely why I particularly resent having to waste a half day of a busy week contacting my various card issuers (waiting in phone queues on occasion), my bank, re-setting passwords, and meticulously trawling past transactions & statements of account, let alone the underlying anxiety. And all because of BAs failure to protect my confidential data.
subject2load is online now  
Old Oct 27, 2018, 5:02 am
  #53  
 
Join Date: Aug 2010
Location: London Stratford, E7
Programs: BAEC Gold! Thanks to FT
Posts: 3,338
I’m sure some people at Waterside are having an uncomfortable time trying to work out what happened, will it happen again etc. As Bisonrav mentioned, communications will have to be rigorously approved to not expose further liability’s however I feel the tone and message of the “woe is me we are the victims of criminal activity” slightly insulting.

I’m not sure we have the full story either as I had my home broken into on the first day of a recent trip. The police asked if I was a BA data theft victim and seemed to indicate a high correlation of people being broken into whilst away. BA seemed to hint that travel details weren’t stolen.. they also said in May their IT issues was due to a power surge so my trust in BA isn’t 100%.

There was the neglible inconvenience of being cardless for a few days, queuing at the bank to draw money out(who even does that anymore...clearly lots of people from the length of queues) not drawing enough cash out so not being able to go out for dinner... very first world problems but I do think a gesture of goodwill wouldn’t go amiss, the status extensions and travel vouchers issued due to the IT Meltdown and snowmagedden would have had a cost attached to them as well and I think the lack of forthcoming gestures is prompting such participation in class action.





KeaneJohn is offline  
Old Oct 27, 2018, 5:09 am
  #54  
Ambassador: Emirates Airlines
 
Join Date: Sep 2004
Location: Manchester, UK
Posts: 18,554
Originally Posted by bisonrav
Also strictly speaking the stored details were not compromised - data was scraped off a data entry form. You will routinely be entering the same data into other online forms, BA somehow allowed their web code to be edited without proper review. The underlying data appears to be uncompromised. I appreciate this is a fine distinction, but it's important in understanding where the blame lies.
The blame lies with BA, whichever way you try to spin it...
DYKWIA is offline  
Old Oct 27, 2018, 5:29 am
  #55  
 
Join Date: Jul 2005
Location: London, ARN, HEL, ..... or MAN
Programs: BA GGL / GFL, Mucci Diamond!, HH Diamond, Radisson Premium, IHG Gold, Hertz Gold
Posts: 5,845
Originally Posted by bisonrav
What sort of business are you involved in @ThatT1Feeling? What sort of an impact would losing 4% of your revenue have on it? Do you think you would allow employees to send out ANY messaging that was not rigorously checked by lawyers if there were the remotest risk of prejudicing a defence?

The answer is clearly no. It doesn't matter what individuals spend is. BA are probably concerned about customers, but their duty is to shareholders. And rightly so.

The slightly depressing thing here (I work to some degree on cybersecurity) that the bluster and posturing about "bad old useless BA cutting costs and not looking after our data, cost cutting/Cruz blah blah blah, is obscuring some basic and very important facts: this looks like it was about human factors (access/permissions/review processes) rather than cost. Most if not all companies are subject to similar issues, because employees are fallible. If you don't believe me, drop a USB stick in your company car park with a script that emails you when it's inserted. And wait for the email.

This should be a wake up call to everyone. Because it could very well be your business who is facing an existential threat from GDPR fines, and being subjected to ambulance chasing claims. In such cases, you would be telling your staff to stick strictly to the legally approved forms of words. Instead it's becoming a stick to hit BA with for other perceived wrongs and lessons are not being drawn.

But on the substantive issue, not being in the class action is the worst of all worlds. It loses: no effect. It wins: compensation is fixed at a top limit and shared, this is ultimately paid for by customers one way or another so you might as well get a share. The ambulance chasers don't care that this will be peanuts, as their 35% won't be.







For the purposes of this discussion, I am a customer of BA and am a customer caught by both breaches who is both concerned that these breaches have occurred and who is also very disappointed by the way they are managing the fallout.

For BA not to respond to a letter which was purely about some specifics of which data was compromised (so I could have been less concerned about being away from home when the details of my flights could have been out in the open), isn't acceptable. I was purely seeking a factual reply.

I take your point about them having to be really careful not to imply or admit guilt at this stage - I bet their laywers are all over it - but that doesn't excuse what is coming across as a defensive and even patronising set of words about the "criminal theft" and their apparent victimhood in all of this. If they were more adult in their comms, I might be less disappointed in them.

I agree that in this case, the breach appears to have been at the point of transaction rather than a breach of the underlying stored data - but the way it's happened, with other breaches being found during the investigation and the fact that it was undetected for some weeks, leads me to have concern about their broader approach to cyber security.

Whether my business could cope with a 4% fine of turnover is interesting but I would argue not really the point (although it's kind of you to have answered the question you posed to me in your following sentence, thereby saving me the trouble)! Certainly I'd rather not be caught out in such a way but the point here is that data security is quite rightly seen as a key legal requirement of being allowed to do business online in the territories covered by GDPR. It's set high for a good reason and it should have focused minds - that's the point. If BA has done what they should under the law and were caught out by something which reasonably could not have been prevented, then the ambulance chasers will lose, the lawyers will take a hit on at least the cost of the insurance and in many ways I will be happier if that's the result.

And finally, back to your first question. I undertake digital transformations of client businesses, including building and securing online payment transactions, be they through b2c websites, b2b websites or other data integrations. Ironically I am also a (small) BA shareholder
ThatT1Feeling is offline  
Old Oct 27, 2018, 5:49 am
  #56  
 
Join Date: Dec 2016
Programs: BAEC GGL/CR; Hilton Diamond; Mucci des Puccis
Posts: 5,517
Well obviously the blame is with BA, but characterising it as the fault of a lack of infrastructure investment is plain wrongheaded given what we know.

Without getting into the politics of victim blaming, it is possible to be both victim and to share some responsibility. Say you are burgled and someone takes a computer with emails with details of someone else's travel? Would you expected to be sued by them for punitive damages? Now that's not a directly applicable analogy to a business process lapse of this scale, but it shows it's not as simple as black v white.

i think BA will be hammered by the regulator on this by the way, as T1 says, they're responsible for poor practices and process from what we can see. They won't come out and say that. They won't make gestures that imply that. The time for that is later.
bisonrav is online now  
Old Oct 27, 2018, 6:01 am
  #57  
 
Join Date: Aug 2004
Programs: Meh
Posts: 2,582
Originally Posted by PUCCI GALORE
Why pray? What business it is of anyone whether I sign up or not. Whatever decision I take, I would not post it on an internet chatboard least of all in response to what sounds like a Playground rallying cry.

I'm like HIDDY and I want to know who is paying for this. Maybe I have not seen it, but how many people anywhere have been robbed of their cash as a result of this? .Yes, I have suffered inconvenience and yes I was vexed but you will excuse me if I do join in the general frenzy, but I've far greater concerns to occupy my waking hours.
I also have better things to be doing with my waking hours than trying to cancel credit cards whilst in central China. Then to tell me my other credit card might be hacked for reward flights earlier in the year. Only for BA not to hold their hands up and act the victim...so yes I signed up not with the objective of any compensation but to assist in levering BA into accepting responsibility and ensuring this never happens again.
lhrpete likes this.
stevie is offline  
Old Oct 27, 2018, 6:10 am
  #58  
Fontaine d'honneur du Flyertalk
 
Join Date: Jul 2001
Location: Morbihan, France
Programs: Reine des Muccis de Pucci; Foreign Elitist (according to others)
Posts: 19,079
Originally Posted by subject2load


Goodness me dear PUCCI ...... when you say youre like HIDDY on this, youre referring to an FT member who - on his own admission just the other day - hasnt actually travelled anywhere in the last three years (an embargo imposed by his good wife, seemingly). Little wonder then, that when BA advise of data breaches potentially affecting customers who have made bookings between various specified dates durung the past few months, it is all of zero concern to HIDDY, and indeed any others who have had no occasion to do business with BA. Or .....as he puts it himself : I couldnt give a monkeys about it .....

Like yourself PG, I too have many other issues and activities to occupy my waking hours ; which is precisely why I particularly resent having to waste a half day of a busy week contacting my various card issuers (waiting in phone queues on occasion), my bank, re-setting passwords, and meticulously trawling past transactions & statements of account, let alone the underlying anxiety. And all because of BAs failure to protect my confidential data.
Dearest - when I say that I am like HIDDY - I mean that perhaps I have lived through too much to worry about things that haven't happened, and indeed might never happen. I regard anything put out in cyberspace as being open to abuse.

Now, call it complacency, but I really did change the banks passwords, cancelled the two cards allied to the account and changed my BA password. Anyone getting the first mail would have been a fool not to do so. Probably I should have done it long before. Perhaps being a Glass Half Full Person, I tend to worry about what is happening rather than what might happen. I think that we were lulled into a false sense of security by thinking that these systems were safe. Clearly they were not. One can only speak of the level of inconvenience or loss to which anyone was put. I was put to very little, and yes I had to hold on the phone to American Express, but then I've held on far longer for other far less worthy reasons.

Please believe that I am no way defending British Airway as I think that they were the architects of their own downfall so anxious were they to save pence and waste pounds.
subject2load likes this.
PUCCI GALORE is offline  
Old Oct 27, 2018, 6:21 am
  #59  
Moderator: Hyatt Gold Passport & Star Alliance
 
Join Date: May 1998
Location: London, UK
Programs: UA-1K 3MM/HY- LT Globalist/BA-GGL/GfL
Posts: 12,031
I joined today, not because I like these things, but because BA seems deaf to the complaints and problems it is causing for its clients. I have been hit by both data breaches and think that BA has to work hard to persuade me to book with BA.
Markie is offline  
Old Oct 27, 2018, 6:22 am
  #60  
FlyerTalk Evangelist
 
Join Date: Aug 2000
Location: London
Programs: Hilton, IHG - BA, GA, LH, QR, SV, TK
Posts: 16,965
Originally Posted by bisonrav
......Say you are burgled and someone takes a computer with emails with details of someone else's travel? Would you expected to be sued by them for punitive damages?

Now that's not a directly applicable analogy .....
Of course it isn't: clutching at straws is
IAN-UK is offline  

Thread Tools
Search this Thread

Contact Us - Manage Preferences - Archive - Advertising - Cookie Policy - Privacy Statement - Terms of Service -

This site is owned, operated, and maintained by MH Sub I, LLC dba Internet Brands. Copyright © 2024 MH Sub I, LLC dba Internet Brands. All rights reserved. Designated trademarks are the property of their respective owners.