Maximise your Avios, air miles and hotel points

British Airways agrees to pay compensation in the 2018 data breach lawsuit

Links on Head for Points may pay us an affiliate commission. A list of partners is here.

British Airways has agreed to settle the lawsuit that was heading towards the courts on the back of the 2018 data breach.

If you signed up for the class action lawsuit, a modest financial sum (the current amount is unclear) will be heading your way soon.

Can everyone else impacted claim the same amount of money? I took some unofficial legal advice on your behalf.

British Airways agrees to pay compensation in 2018 data breach lawsuit

What is the background to the BA data breach?

Between June and 5th September 2018, the data of people making a transaction at ba.com or BA Holidays was compromised and passed to an unknown third party.

BA originally stated that the following data was shared:

  • email address
  • postal address
  • credit card number
  • expiration data
  • CVV

….. but this was later found to also include log in and travel booking details as well name and address information.

Passport and frequent flyer data was not compromised as that is not transmitted during the payment process.

500,000 people were impacted by the breach.  If you were included, you will have received various emails from British Airways at the time.

The Information Commissioner’s Office (ICO) was not impressed.  In July 2019 it proposed a fine of £183 million.  See the ICO’s statement here.  This was eventually reduced to £20 million, primarily because of the impact of covid on the airline, although it was made very clear that BA had acted illegally in its treatment of passenger data.

The £20m did not go to impacted customers.  It was divided up between the various European data authorities, with the UK share going directly to the Treasury.

What happened with the lawsuit?

In October 2019, Mr Justice Warby gave permission for a passenger-led case to proceed via a group litigation order. This is a new form of legal process which works along the lines of the class action lawsuits seen in the United States.

Enthusiasm to join the suit was muted. Only 16,000 people had signed up by January 2021 after 18 months of efforts, representing just 3% of those impacted.

British Airways agrees to pay compensation for 2018 data beach to settle lawsuit

What does the British Airways settlement meant?

There was a report in the Financial Times in January which said that British Airways had agreed to settle, although this was denied by the lawyers behind the group litigation order. The story does appear to have been correct, however.

The following letter was circulated yesterday by one of the legal groups involved in the case:

RE: Your British Airways Data Breach Claim (the “Data Claim”)

Following PGMBM (formerly SPG Law)’s engagement to represent you in relation to this claim, we are delighted to confirm that on 5 July, British Airways (“BA”) agreed to settle the group claim brought by this firm and others, on your (and other claimants’) behalf.

The settlement has been reached with no admission as to liability. This means that BA does not admit that it has breached the law or its duty to you for the data breach in question – but BA has decided to pay a financial settlement now, rather than have to continue to defend the matter further through the Courts.

We will write to you individually, with confirmation and an explanation of, the compensation amount due to be paid to you, via our authorised payment agents, Shieldpay. However, under the terms of the settlement that has been reached with BA you must keep all information about it – including the amount paid to you – strictly confidential, or BA may be entitled to take legal action against you.

There is no indication as to what the sum involved may be.

How does this impact the other 485,000 people hit by the data breach?

I spoke to a senior legal figure – who happens to be a friend of mine as well – last night. To paraphrase his thoughts, and he admits that he is not a specialist in this area of law:

  • British Airways is unlikely to be obliged to offer a settlement to the other 485,000 people impacted by the breach
  • However, it will be very difficult for British Airways to defend itself against future claims. It would be logical for more suits to emerge, on the basis that it will be easy to sign up defendants now that the presumed eventual settlement amount will be known.
  • There is little logic in BA failing to admit that it broke the law over the breach given that the ICO has already found British Airways culpable and has issued a fine as punishment.

We need to see how this turns out.

Please do not tell us what your settlement is

If you are involved in the data breach, please do not email me from your personal email account with details of the settlement when it is known to you.

If we choose to publish the information, it is possible that British Airways will seek an injunction to make us hand over the names of the people who supplied us with the data.

No-one on the Head for Points team took part in the group litigation order, so we are not bound by the settlement agreement. However, my legal friend tells me that HfP may be in contempt of court if it does publish the settlement figure, if the out of court settlement is legally ratified. Let’s see how we go.


How to earn Avios points from UK credit cards

How to earn Avios from UK credit cards (October 2021)

As a reminder, there are various ways of earning Avios points from UK credit cards.  Many cards also have generous sign-up bonuses!

There are two official British Airways American Express cards. Both have increased sign-up bonuses until 2nd November 2021:

British Airways BA Amex American Express card

British Airways American Express

10,000 Avios for signing up, no annual fee and an Economy 241 voucher for spending ….. Read our full review

British Airways BA Premium Plus American Express Amex credit card

British Airways American Express Premium Plus

40,000 Avios and the UK’s most valuable credit card perk – the 2-4-1 companion voucher Read our full review

You can also get generous sign-up bonuses by applying for American Express cards which earn Membership Rewards points, such as:

Nectar American Express

American Express Preferred Rewards Gold

Your best beginner’s card – 30,000 points, FREE for a year & two airport lounge passes Read our full review

American Express Platinum card Amex

The Platinum Card from American Express

60,000 points and an unbeatable set of travel benefits – for a fee Read our full review

The 30,000 points bonus on Amex Gold runs to 9th November 2021. The 60,000 points bonus on The Platinum Card runs to 2nd November 2021.

Run your own business?

We recommend Capital On Tap for limited companies. You earn 1 Avios per £1 which is impressive for a Visa card:

Capital On Tap Business Rewards Visa

The most generous Avios Visa or Mastercard for a limited company Read our full review

You should also consider the British Airways Accelerating Business credit card. This is open to sole traders as well as limited companies. This card has a limited time offer of 60,000 Avios when you sign up:

British Airways Accelerating Business American Express card

British Airways Accelerating Business American Express

60,000 Avios sign-up bonus – plus annual bonuses of up to 30,000 Avios Read our full review

Click here to read our detailed summary of all UK credit cards which earn Avios. This includes both personal and small business cards.

(Want to earn more Avios?  Click here to visit our home page for our latest articles on earning and spending your Avios points and click here to see how to earn more Avios this month from offers and promotions.)

Comments (85)

  • IslandDweller says:

    Alex. Yes, Amex contacted me about my card, and informed me they’d taken some security measures on my Amex (I was never told what they were) though I’ve had nothing from BA directly.

  • Bradley says:

    If you signed up to SPG early they waived all fees, how would that work re settlement, would it work the same

  • Not My Real Name says:

    I was affected by this. My credit card was charged for a TV in the Netherlands, and when I told them I hadn’t authorised the purchase they refunded it, but they refunded it in Euros and the exchange rate had changed in the meantime and I lost £21. It took MONTHS to get that refunded.

    Also, BA said they’d signed me up to a year’s free Experian ProtectMyID service. I received one email from Experian saying I hadn’t activated my account. I clicked the link in the email and it said to enter the passcode or whatever they’d sent me in a separate email. I’d received no other emails, so I asked them to send it again. They said they couldn’t send anything to me because of “data protection”, but then asked me to send my full name, address, email address, and a scan of my passport the very same email address they said they wouldn’t send anything to! Yes, as part of their ProtectMyID service, Experian asked me to send personal data via unprotected email! So, whilst others may have benefitted from this year of free service, i.e. were financially compensated via paying for the cost of that service, I didn’t.

    While I didn’t lose out majorly financially, I lost time in having to get my credit cards changed, and having to call up to get refunds on my credit card.

    Can’t wait to see how much I get, but I won’t tell anyone.

The UK's biggest frequent flyer website uses cookies, which you can block via your browser settings. Continuing implies your consent to this policy. Our privacy policy is here.