British Airways (BA) is potentially facing the largest privacy class-action lawsuit in UK history over its mass customer data breach that affected 400,000 people, according to a law firm involved.

More than 16,000 people are now understood to have joined a case seeking compensation from the airline over the 2018 incident.

PGMBM, the law firm representing the claimants, says each claimant could claim £2,000 each, bringing the total to more than £800m.

“We trust companies like British Airways with our personal information and they have a duty to all of their customers and the public at large to take every possible step to keep it safe, “ said Tom Goodhead, a partner at PGMBM. “In this instance, they presided over a monumental failure.”

A BA spokesperson told Bloomberg that it continues “to vigorously defend the litigation in respect of the claims brought arising out of the 2018 cyberattack.” It said it doesn’t “recognize the damages figures put forward, and they have not appeared in the claims.”

The Information Commissioner’s Office (ICO) in October fined BA £20m for failing to protect the personal and financial details of more than 400,000 customers. This was reduced significantly from the £183m the ICO originally intended to fine the company, as it took into account the impact of the Covid-19 pandemic.

The ICO found the airline was processing a significant amount of personal data without adequate security measures in place.

BA was subsequently the subject of a cyber-attack during 2018, which it did not detect for more than two months. ICO investigators found BA ought to have identified weaknesses in its systems and resolved them with security measures that were available at the time.

The attacker is believed to have potentially accessed the personal data of approximately 429,612 customers and staff. This included names, addresses, payment card numbers and CVV numbers of 244,000 BA customers.

Other details thought to have been accessed include the combined card and CVV numbers of 77,000 customers and card numbers only for 108,000 customers. Usernames and passwords of BA employee and administrator accounts as well as usernames and PINs of up to 612 BA Executive Club accounts were also potentially accessed.