back to article Law firm seeking leak victims to launch £500m suit at British Airways

British Airways faces a £500m lawsuit over its recent mega-breach that exposed payment card details of 380,000 customers. The airliner last week apologised and offered to compensate customers for any direct financial loss for the attack that took place between 21 August and 5 September via its website and app. However, an …

  1. Pen-y-gors

    Fees?

    SPG Law said it would cap its fees at a maximum of 35 per cent including VAT.

    So, 35% of £500 million = £175 million. It warms the cockles of my heart to hear about lawyers willing to work for a pittance so that their clients don't suffer. And people say rude things about lawyers being money-grubbing scum who aren't fit to line the brimstone pits of hell. This will set the critics right!

    <Insert obligatory Shakespeare quote>

    1. }{amis}{
      Meh

      Re: Fees?

      Could be a lot worse in the states the current trend for class-action suits if for the award to be paid to crony friends of the offenders via "cy pres principle" clauses.

      https://cei.org/blog/google-settlement-how-class-action-abuse-gives-money-attorneys-and-third-parties-leaving

    2. Anonymous Coward
      Anonymous Coward

      Re: Fees?

      SPG Law said it would cap its fees at a maximum of 35 per cent including VAT.

      Let me know when Google Play starts a class action. They only charge 30%.

    3. Anonymous Coward
      Anonymous Coward

      Re: Fees?

      Let's try the other one, from A Man for All Seasons:

      "Where will you hide when all the laws are beaten flat"?

      Lawyers, whatever their faults, are part of the reason things like cars and aeroplanes are so much safer nowadays. Insurance companies had a part to play, but without lawyers who would have got the manufacturers to do anything?

      The Spanish airline known as BA does need to learn the hard way that it cannot cut corners, just as does the Spanish bank known as TSB. Even if the damages are limited to the bank costs of replacing all those credit cards, the harm caused in real.

      1. MacroRodent

        Re: Fees?

        but without lawyers who would have got the manufacturers to do anything?

        The state, perhaps? Of course, that only applies to countries where the state is not a fully-owned subsidiary of industry.

        1. Anonymous Coward
          Anonymous Coward

          Re: Fees?

          "The state, perhaps? Of course, that only applies to countries where the state is not a fully-owned subsidiary of industry."

          But without laws and lawyers, that would be an arbitrary State with no control over its power. A dictatorship, in fact.

          1. MacroRodent

            Re: Fees?

            But without laws and lawyers, that would be an arbitrary State with no control over its power. A dictatorship, in fact.

            Certainly true, and I am not advocating getting rid of laws and lawyers. However, setting industry regulations and sanctioning their violations is properly a function of the state (of course with inputs from citizens and the industry).

    4. macjules

      Re: Fees?

      Did El Bard ever have a line such as, "First we kill Tata Control Services"?

      I think we should be told.

    5. Anonymous Coward
      Anonymous Coward

      Re: Fees?

      "aren't fit to line the brimstone pits of hell"

      Too right! Even we have standards you know!

      Abezethibou (Colin).

      Demon in chief.

      Brimstone Pits.

      Hell.

  2. fronty
    Mushroom

    Throw the book at them I say... but can you please wait until I've flown back home tonight as my return flight from Edinburgh is on BA. Thanks. ;-)

  3. Anonymous Coward
    Anonymous Coward

    Won't happen.

    English law is very strict about proving demonstrable loss. Which is why very few data breaches ever result in redress.

    Now if we allowed special damages (is that the US concept ?) ...

    But we don't.

    Also, poor people are expected to suffer anyway, so are deemed to be less affected by such things.

  4. a_yank_lurker

    GPDR Strikes?

    Might we see how much teeth the GPDR really has? Also, can the EU step now? (second question out of ignorance of the legal details)

    1. Anonymous Coward
      Anonymous Coward

      Re: GPDR Strikes?

      Well the DPA 2018 is in effect and the ICO was complaining how little power the previous regime allowed them to wield against Facebook. They might be tempted to throw the GDPR book at BA 'pour encourager les autres'.

  5. Anonymous Coward
    Anonymous Coward

    SPG Law

    Sue

    Prosecute

    and

    Gobble

    SOP for an awful lot of Lawyers these days. £175Million? I wouldn't give them 1.75 even if they were begging on the streets.

    Not a good event for BA but to have these bottom feeders taking 35% inc VAT is way beyond a joke.

    IMHO, anyone joining the class action will be lucky to see £17.50 before tax.

  6. Anonymous Coward
    Anonymous Coward

    The firm, which cynics might dismiss as an ambulance chaser

    Let's not use weasel words here. 'Cynics' < normal people. 'Might' < do.

  7. Anonymous Coward
    Anonymous Coward

    And So It Begins - Payback is a bitch

    This is the only thing that will concentrate minds as regards Data-Crimes.

    Whether its not securing data, a door-left-open, cost-cutting, outsourcing.

    Screw the ICO/Irish-DPC, they're really just toothless banking regulators!

    1. I_am_not_a_number

      Re: And So It Begins - Payback is a bitch

      I see alot of remarks here who regard the ICO as toothless. Perhaps before May 25th 2018 but after that date, less so.

      Article 58 covers the powers bestowed upon the "Supervisory Authority" (ICO) and now can:

      "obtain access to any premises of the controller and the processor, including to any data processing equipment and means, in accordance with Union or Member State procedural law."

      "...to order the controller or processor to bring processing operations into compliance with the provisions of this Regulation, where appropriate, in a specified manner and within a specified period;"

      (ref: https://gdpr-info.eu/art-58-gdpr )

      The second of the points above is a bigger deal as the ICO can "order" them to comply. Related is Article 32 which is a key provision, as it covers "Security of Processing" which carries the burden of providing assurance of the CIA triad. I'm sure it'd be a major hassle if the regulator is breathing down your neck and publishing at the same time any (lack of) progress.

      I can almost hear the people in the back row saying "yeah, yeah but it's never been tested in court, blah blah". True. Equally, the ICO will be keen to be seen as being able to flex it's muscles after it's relatively weak fine on FB.

      That said, there's alot of unjustified glee about the potential fines.

      Whilst it's true that it can be 2% or 4% etc, it also needs to be "effective, proportionate and dissuasive."

      The operative word here is proportionate since it needs to take into account "the intentional or negligent character of the infringement" (Article 83).

      If BA can show that they've had an ongoing programme of security audits, risk assessments and/or pen tests, then, I can see them arguing the toss and get away without a "total b*tchslap". At the same time, there's still sufficient scope for it to hurt.

  8. Pete 2 Silver badge

    35% of what?

    So the bloodsuckerslawyers will only take 35%. But they will arrange insurance for if they lose. Presumably that doesn't count towards their fees.

    Given the chances of losing, one could understand if the insurance was quite high - through a subsidiary, perchance?. So it would be interesting to see just how much (or how little) ended up in the hands of BA customers.

    1. Anonymous Coward
      Anonymous Coward

      Re: 35% of what?

      I wonder who pays for the insurance?

      "Congratulations, you have just won a share of £500m! It's easy, just sign up here on our website. By the way, before you can join, we require you to send us £200 to cover insurance"

      Sounds familiar somehow...

      1. Anonymous Coward
        Anonymous Coward

        Re: 35% of what?

        I work for one of the companies that specialise in this kind of insurance in industry parlance this would be an A.T.E (After The Event) policy AKA "No Win No Fee".

        The solicitor representing the injured party would come to us asking for a policy and our underwriters would evaluate of the risks and possibility of winning, once we have accepted the case we then fund the case costs only receiving any money once the case is won, if the case is lost we lose all funds invested in the case.

        This means that we the insurers are paying for everything for an average case lifespan of ~5 years this is why this kind of case cuts into the payout so hard, as the insurers are sat on a substantial risk for a long time.

  9. Will Godfrey Silver badge
    Unhappy

    Vultures Circling.

    See title.

  10. alain williams Silver badge

    A better way of effecting change

    Rather than suing BA for about 1/3 of last year's profit, something that will be regarded as a business cost and forgotten in a few years -- the individuals responsible for failing to ensure secure systems (eg BA board & top level Web managers) should be fined; something like 80% of their assets (ie house) and their pension pot. This will be noticed by directors, etc, in other companies who will then ensure that the same thing cannot happen to them.

    I assume that customers who suffered losses will have those repaid by BA; something for the inconvenience would also be good.

    1. Anonymous Coward
      Anonymous Coward

      Re: A better way of effecting change

      The ICO now has the GDPR powers of imposing penalties of 4% of turnover or €20 million. Add that to any legal costs awarded against BA as well as the expenses of fixing the problem and compensating victims; and shareholders might feel sufficiently poor to countenance a clearout at the top of BA and IAG.

      Though it would be nice to see some senior executives finally taking a personal hit.

      1. Anonymous Coward
        Anonymous Coward

        Re: A better way of effecting change

        a clearout at the top of BA and IAG

        Who will all get their golden parachutes, so have nothing to worry about personally.

    2. David Roberts
      IT Angle

      Re: A better way of effecting change

      I assume that you, using this site, work in IT?

      Therefore I assume that you are prepared to accept similar punishment should one of your mistakes or oversights contribute to a data breach.

      80% of your assets including your house and pension pot should concentrate your mind wonderfully.

    3. Anonymous Coward
      Anonymous Coward

      Re: A better way of effecting change

      Rather than suing BA for about 1/3 of last year's profit, something that will be regarded as a business cost and forgotten in a few years -- the individuals responsible for failing to ensure secure systems (eg BA board & top level Web managers) should be fined; something like 80% of their assets (ie house) and their pension pot. This will be noticed by directors, etc, in other companies who will then ensure that the same thing cannot happen to them.

      'Limited company'; the clue's in the name.

  11. MarcM

    I was one of them

    I was one of the people to be told that I might have been hacked.

    The first email from BA was extremely poor - so much so that I replied to tell them it was piss poor (without any reply back). Basically, it was "we allowed your details to be stolen, we're sorry, get in touch with your bank". No explanation just curt

    So far no untoward activity - but according to my bank I now have to sign up to Experian to make sure some other finance/policies have been taken our in my name.

    So yes I am angry. I've been put out and now have to live with uncertainty. Yes BA need a lesson where it hurts. 35% is expensive, but its no win. So stop with the moaning at lawyers you unreasonable people. Wait until it happens to you

    1. tiggity Silver badge

      Re: I was one of them

      @ MarcM

      The irony of having to sign up with Experian (they are no stranger to data breaches themselves)

      Data breaches all the way down

  12. Andy The Hat Silver badge

    Perhaps I'm wrong?

    My problem with all of this 'hacker' stuff is that the company who, by any stretch of the imagination, was a victim in this case is the one who will get smacked by whatever claims/fines are imposed. It's like fining the victim of a bike theft because they fitted a cheap lock ...

    Why aren't we spending more money chasing the actual perpetrators instead?

    That of course does require that the company did something to protect their data in the first place requiring nefarious means to access it ...

    1. This post has been deleted by its author

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like