Security Experts:

British Airways Settles Class Action Over 2018 Data Breach

British Airways has settled a class action brought by individuals impacted by the data breach suffered by the company in 2018, but terms of the settlement have been kept private.

The lawsuit was filed after it came to light that the airline’s systems were breached in the summer of 2018. The incident resulted in the personal and financial details of roughly 500,000 customers getting compromised.

The theft of data was the result of a Magecart attack, where cybercriminals plant malicious code on the website of a company in an effort to steal information provided by its customers.

Stolen information in the case of British Airways included names, payment card data, addresses, and email addresses.

The UK’s data protection regulator, the Information Commissioner's Office (ICO), initially intended to fine British Airways a total of £183.39 million ($230 million), but in 2020 it announced that the fine would be reduced to £20 million ($25 million), which was still described by the agency as a record fine. That fine, however, did not include any compensation for those affected by the breach.

Law firm PGMBM on Tuesday announced that it reached a settlement in the case, but terms are confidential. The airline has not admitted liability, but it appears claimants will receive some money, although the amount is not being disclosed.

PGMBM said in January that more than 16,000 victims joined its group action. The law firm said at the time that it expected victim compensation to be as much as £2,000 ($2,700 at today’s exchange rate).

However, BA’s legal problems related to the 2018 data breach might not be over. Law firm Your Lawyers says it will take further legal action if BA fails to compensate its clients with the appropriate level of damages.

Aman Johal, director of Your Lawyers, has provided the following statement to SecurityWeek:

“British Airways’ agreement to settle some of the data breach cases confirms what we already know – that the airline acknowledges that it must pay compensation to the victims of the cyberattack despite having settled without an admission of liability. BA has continually denied liability for claims, but now it should publicly admit what its lawyers must privately have advised them; that it is liable for this data breach and the distress caused to victims and must pay appropriate damages.


If the airline genuinely considered that it was not liable for claims, it would have proceeded to the trial set to take place next year. Instead, it has settled a round of claims despite the continual denial of liability. This is not the end for the approximately 380,000 people still yet to claim as this settlement only encompasses an estimated 40,000 victims. We continue to move our cases forward separately to this initial action on the basis that BA has tried to settle claims for as little as possible and, we fear, has tried to prevent more people from joining the action – yet another tactic by the airline to cut claimants out of the compensation case and reduce pay-outs.


Our clients have repeatedly informed us of fraudulent transactions on their accounts that have been exposed to professional criminals. Others have reported instances of being stranded abroad with no ability to access funds as their banks have cancelled their cards due to suspicious activity.


The case law and our own figures for settled cases – having now recovered over £1m in damages for primarily individual data breach claims – tells us what BA refuses to accept: that pay-outs could be much more than what they have wanted to settle for. We will continue to fight for an appropriate level of damages to be awarded to our clients, and we hope that the first round of settlements will give victims the confidence to come forward and hold the airline to account.”

Related: British Airways Criticized for Exposing Passenger Flight Details

Related: British Airways, Another Victim of Ongoing Magecart Attacks

Related: Cathay Pacific Airways Fined Over Long-Running Breach

view counter
Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.