British Airways staff data breach claim

In June 2023, BA contacted current and former staff stating that it had been notified by Zellis, a company providing it with payroll support services, that it had experienced a cyber-security incident which had led to a disclosure of personal information of staff paid through BA’s payroll in the UK and Ireland. Zellis also issued a statement confirming that it had suffered a data breach affecting a number of its customers.

BA stated that the incident happened as a result of a previously unseen vulnerability in a widely used file transfer tool called MOVEit which was used by Zellis.

The notification continued that BA understood that employees' names, contact details (home address and work email), dates of birth, national insurance numbers, banking details (account number and sort code), pay and reward details and other ancillary data relating to employees’ roles had been compromised.

BA stated that they were taking the data breach incredibly seriously and that they had informed the Information Commissioner’s Office and UK National Cyber Security Centre of the incident.

BA also stated that they had set up a credit and web monitoring package with Experian that would be available free of charge to those affected for the next 12 months. They also said that they were working with Zellis and their cybersecurity partners to monitor for any online activity.

As well as signing up to and using the credit and web monitoring package with Experian, BA also encouraged those affected to monitor their bank accounts for unauthorised activity, follow guidance issued by the Information Commissioner’s Office and UK National Cyber Security Centre in relation to fraud and identity theft and, if worried, to change passwords on online accounts.

Microsoft and IT specialists have attributed the cyber-attack to the notorious Russian ransomware group C10p (Clop), on the basis of their similarity to previous attacks by the group. Clop then posted a notice on its darknet site stating that it had exploited vulnerabilities in the MOVEit software to download data from “hundreds of companies”, without naming them, and warned affected organisations to contact them to agree a ransom payment or they would start publishing the stolen data.

Following the expiry of the deadline for contacting them, Clop have started posting data from certain companies, including Shell and Aon, on its website. At the time of writing, no data relating to BA staff appears to have been posted.

Those affected by the data breach may have claims against BA and / or Zellis and / or Progress Software for failing to take the necessary action to keep their personal data safe and obtain compensation for the distress and / or any financial losses that this has caused.

While investigations are at an early stage, issues that will need to be considered include the adequacy of the design and maintenance of the software, any failure to identify and promptly notify customers of flaws in the software and provide necessary upgrades / patches, any failure of customers to promptly install any upgrades / patches, any failure to monitor indicators of unauthorised access or suspicious activity and take action as well as the appropriateness of using the software for the tasks for which it was used, and / or the failure to take additional security measures.

On the present information, there may be grounds for bringing a claim for breach of the UK General Data Protection Regulation and / or the Data Protection Act 2018, misuse of private information, breach of confidence and negligence.

BA appear to have notified current or former staff affected by the data breach in June 2023.

If you were notified by BA that your personal data has been affected by the data breach in or about June 2023, you may have a claim for compensation if you have suffered distress and / or any financial loss as a result of the data breach. You can claim for compensation for the distress caused by the data breach even if you have not lost any money.

How much compensation you can claim may depend on specific factors of your case, such as:

• The personal information accessed, including whether this included your bank account details.
• How many people had unauthorised access to your personal information and for how long.
• The emotional distress caused by the breach.
• Any financial losses experienced as a result of the data breach.

On the information currently available, we consider that the value of affected customers’ compensation claims could be over a thousand pounds.

We will obtain a more detailed assessment of the value of the claims from the barristers specialising in data breach matters that we will be instructing in this matter after we have completed our investigations.

It’s too early to provide a timescale for when the matter will be resolved and you may receive any compensation for the data breach. To an extent, this will depend on how BA / Zellis / Progress Software respond and whether they wish to mediate the claim.

We understand this can be frustrating, but we will keep our clients updated every step of the way via email. You can also reach out to us by emailing bastaffdatabreach@leighday.co.uk

We are acting for affected clients on a so called “no win no fee” basis, which will ensure that they receive at least 75% of any compensation they are awarded if the claim is successful. Clients will not be required to make any up-front payment or similar.

We are responding to form completions within a few days. If you have submitted your form during the weekend, please allow an extra day for a response, as we won’t see your details until the following Monday morning.

If you are still to receive a response, please email us at bastaffdatabreach@leighday.co.uk to check that the details we hold for you are correct.

The data breach claim is still at an early stage, so no compensation has been given out at the time of writing. However, please be assured that we will keep our clients updated via email.

You can also reach out if you need assistance at any point of the claims process by emailing bastaffdatabreach@leighday.co.uk.