British Airways faces the largest privacy class-action lawsuit in UK history over a 2018 customer data breach.
More than 16,000 victims joined a case seeking compensation from the airline.
They could claim £2,000 ($2,733) each, said PGMBM, the law firm representing the claimants.
“We trust companies like British Airways with our personal information, and they have a duty to all of their customers and the public at large to take every possible step to keep it safe,” said Tom Goodhead, a partner at PGMBM.
“In this instance, they presided over a monumental failure.”
BA said in September 2018 that a breach of its security systems compromised the personal and financial details of more than 400,000 customers.
The airline was fined £20 million by the UK data protection watchdog last year, a fraction of a much heavier fine initially planned by the regulator.
The suit was filed in 2018, with a March 2021 deadline for more victims to join.
The claimants’ lawyers say that if every victim of the cyber attack joined the claim, BA’s overall liability could be about £800m.
The UK Information Commissioners’ Office said its investigation into the cyber attack found that “the airline was processing a significant amount of personal data without adequate security measures in place,” exposing people’s information unnecessarily.
The fine is the biggest to be handed out by the ICO.
BA said it would continue “to vigorously defend the litigation in respect of the claims brought, arising out of the 2018 cyber attack".
It said it did not “recognise the damages figures put forward and they have not appeared in the claims".
At a case-management hearing in November, BA told the court it was open to the possibility of settlement discussions with the claimants, Mr Goodhead said.
But he said they had not yet received any proposals.
The next hearing is in February.