British Airways has settled a class action brought by individuals impacted by the data breach suffered by the company in 2018, but terms of the settlement have been kept private.
The lawsuit was filed after it came to light that the airline’s systems were breached in the summer of 2018. The incident resulted in the personal and financial details of roughly 500,000 customers getting compromised.
The theft of data was the result of a Magecart attack, where cybercriminals plant malicious code on the website of a company in an effort to steal information provided by its customers.
Stolen information in the case of British Airways included names, payment card data, addresses, and email addresses.
The UK’s data protection regulator, the Information Commissioner’s Office (ICO), initially intended to fine British Airways a total of £183.39 million ($230 million), but in 2020 it announced that the fine would be reduced to £20 million ($25 million), which was still described by the agency as a record fine. That fine, however, did not include any compensation for those affected by the breach.
Law firm PGMBM on Tuesday announced that it reached a settlement in the case, but terms are confidential. The airline has not admitted liability, but it appears claimants will receive some money, although the amount is not being disclosed.
PGMBM said in January that more than 16,000 victims joined its group action. The law firm said at the time that it expected victim compensation to be as much as £2,000 ($2,700 at today’s exchange rate).
However, BA’s legal problems related to the 2018 data breach might not be over. Law firm Your Lawyers says it will take further legal action if BA fails to compensate its clients with the appropriate level of damages.
Aman Johal, director of Your Lawyers, has provided the following statement to SecurityWeek:
“British Airways’ agreement to settle some of the data breach cases confirms what we already know – that the airline acknowledges that it must pay compensation to the victims of the cyberattack despite having settled without an admission of liability. BA has continually denied liability for claims, but now it should publicly admit what its lawyers must privately have advised them; that it is liable for this data breach and the distress caused to victims and must pay appropriate damages.
If the airline genuinely considered that it was not liable for claims, it would have proceeded to the trial set to take place next year. Instead, it has settled a round of claims despite the continual denial of liability. This is not the end for the approximately 380,000 people still yet to claim as this settlement only encompasses an estimated 40,000 victims. We continue to move our cases forward separately to this initial action on the basis that BA has tried to settle claims for as little as possible and, we fear, has tried to prevent more people from joining the action – yet another tactic by the airline to cut claimants out of the compensation case and reduce pay-outs.
Our clients have repeatedly informed us of fraudulent transactions on their accounts that have been exposed to professional criminals. Others have reported instances of being stranded abroad with no ability to access funds as their banks have cancelled their cards due to suspicious activity.
The case law and our own figures for settled cases – having now recovered over £1m in damages for primarily individual data breach claims – tells us what BA refuses to accept: that pay-outs could be much more than what they have wanted to settle for. We will continue to fight for an appropriate level of damages to be awarded to our clients, and we hope that the first round of settlements will give victims the confidence to come forward and hold the airline to account.”
Related: British Airways Criticized for Exposing Passenger Flight Details
Related: British Airways, Another Victim of Ongoing Magecart Attacks
Related: Cathay Pacific Airways Fined Over Long-Running Breach

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.
More from Eduard Kovacs
- Intel Boasts Attack Surface Reduction With New 13th Gen Core vPro Platform
- Dole Says Employee Information Compromised in Ransomware Attack
- High-Severity Vulnerabilities Found in WellinTech Industrial Data Historian
- CISA Expands Cybersecurity Committee, Updates Baseline Security Goals
- Exploitation of 55 Zero-Day Vulnerabilities Came to Light in 2022: Mandiant
- Organizations Notified of Remotely Exploitable Vulnerabilities in Aveva HMI, SCADA Products
- Waterfall Security, TXOne Networks Launch New OT Security Appliances
- Hitachi Energy Blames Data Breach on Zero-Day as Ransomware Gang Threatens Firm
Latest News
- Intel Co-founder, Philanthropist Gordon Moore Dies at 94
- Google Leads $16 Million Investment in Dope.security
- US Charges 20-Year-Old Head of Hacker Site BreachForums
- Tesla Hacked Twice at Pwn2Own Exploit Contest
- CISA Ships ‘Untitled Goose Tool’ to Hunt for Microsoft Azure Cloud Infections
- Critical WooCommerce Payments Vulnerability Leads to Site Takeover
- PoC Exploit Published for Just-Patched Veeam Data Backup Solution Flaw
- CISA Gets Proactive With New Pre-Ransomware Alerts
