Maximise your Avios, air miles and hotel points

British Airways agrees to pay compensation in the 2018 data breach lawsuit

Links on Head for Points may pay us an affiliate commission. A list of partners is here.

British Airways has agreed to settle the lawsuit that was heading towards the courts on the back of the 2018 data breach.

If you signed up for the class action lawsuit, a modest financial sum (the current amount is unclear) will be heading your way soon.

Can everyone else impacted claim the same amount of money? I took some unofficial legal advice on your behalf.

British Airways agrees to pay compensation in 2018 data breach lawsuit

What is the background to the BA data breach?

Between June and 5th September 2018, the data of people making a transaction at ba.com or BA Holidays was compromised and passed to an unknown third party.

BA originally stated that the following data was shared:

  • email address
  • postal address
  • credit card number
  • expiration data
  • CVV

….. but this was later found to also include log in and travel booking details as well name and address information.

Passport and frequent flyer data was not compromised as that is not transmitted during the payment process.

500,000 people were impacted by the breach.  If you were included, you will have received various emails from British Airways at the time.

The Information Commissioner’s Office (ICO) was not impressed.  In July 2019 it proposed a fine of £183 million.  See the ICO’s statement here.  This was eventually reduced to £20 million, primarily because of the impact of covid on the airline, although it was made very clear that BA had acted illegally in its treatment of passenger data.

The £20m did not go to impacted customers.  It was divided up between the various European data authorities, with the UK share going directly to the Treasury.

What happened with the lawsuit?

In October 2019, Mr Justice Warby gave permission for a passenger-led case to proceed via a group litigation order. This is a new form of legal process which works along the lines of the class action lawsuits seen in the United States.

Enthusiasm to join the suit was muted. Only 16,000 people had signed up by January 2021 after 18 months of efforts, representing just 3% of those impacted.

British Airways agrees to pay compensation for 2018 data beach to settle lawsuit

What does the British Airways settlement meant?

There was a report in the Financial Times in January which said that British Airways had agreed to settle, although this was denied by the lawyers behind the group litigation order. The story does appear to have been correct, however.

The following letter was circulated yesterday by one of the legal groups involved in the case:

RE: Your British Airways Data Breach Claim (the “Data Claim”)

Following PGMBM (formerly SPG Law)’s engagement to represent you in relation to this claim, we are delighted to confirm that on 5 July, British Airways (“BA”) agreed to settle the group claim brought by this firm and others, on your (and other claimants’) behalf.

The settlement has been reached with no admission as to liability. This means that BA does not admit that it has breached the law or its duty to you for the data breach in question – but BA has decided to pay a financial settlement now, rather than have to continue to defend the matter further through the Courts.

We will write to you individually, with confirmation and an explanation of, the compensation amount due to be paid to you, via our authorised payment agents, Shieldpay. However, under the terms of the settlement that has been reached with BA you must keep all information about it – including the amount paid to you – strictly confidential, or BA may be entitled to take legal action against you.

There is no indication as to what the sum involved may be.

How does this impact the other 485,000 people hit by the data breach?

I spoke to a senior legal figure – who happens to be a friend of mine as well – last night. To paraphrase his thoughts, and he admits that he is not a specialist in this area of law:

  • British Airways is unlikely to be obliged to offer a settlement to the other 485,000 people impacted by the breach
  • However, it will be very difficult for British Airways to defend itself against future claims. It would be logical for more suits to emerge, on the basis that it will be easy to sign up defendants now that the presumed eventual settlement amount will be known.
  • There is little logic in BA failing to admit that it broke the law over the breach given that the ICO has already found British Airways culpable and has issued a fine as punishment.

We need to see how this turns out.

Please do not tell us what your settlement is

If you are involved in the data breach, please do not email me from your personal email account with details of the settlement when it is known to you.

If we choose to publish the information, it is possible that British Airways will seek an injunction to make us hand over the names of the people who supplied us with the data.

No-one on the Head for Points team took part in the group litigation order, so we are not bound by the settlement agreement. However, my legal friend tells me that HfP may be in contempt of court if it does publish the settlement figure, if the out of court settlement is legally ratified. Let’s see how we go.


How to earn Avios points from UK credit cards

How to earn Avios from UK credit cards (June 2022)

As a reminder, there are various ways of earning Avios points from UK credit cards.  Many cards also have generous sign-up bonuses!

In February 2022, Barclaycard launched two exciting new Barclaycard Avios Mastercard cards.

Until 18th July 2022 there is an astonishing special offer on these cards. You get 50,000 Avios on the Avios Plus Mastercard and 10,000 Avios on the free Avios Mastercard. You can apply here. We strongly recommend getting the Avios Plus card whilst this offer is running.

You qualify for the bonus on these cards even if you have a British Airways American Express card:

Barclaycard Avios Plus card

Barclaycard Avios Plus Mastercard

50,000 Avios for signing up (A CRAZY SPECIAL OFFER!) and an upgrade voucher for spending ….. Read our full review

Barclaycard Avios card

Barclaycard Avios Mastercard

10,000 Avios for signing up (SPECIAL OFFER) and an upgrade voucher for spending £20,000 Read our full review

There are two official British Airways American Express cards with attractive sign-up bonuses:

British Airways BA Premium Plus American Express Amex credit card

British Airways American Express Premium Plus

25,000 Avios and the UK’s most valuable card perk – the 2-4-1 voucher Read our full review

British Airways BA Amex American Express card

British Airways American Express

5,000 Avios for signing up and an Economy 2-4-1 voucher for spending £12,000 Read our full review

You can also get generous sign-up bonuses by applying for American Express cards which earn Membership Rewards points.

SPECIAL OFFER: The sign-up bonus on Amex Gold is increased from 20,000 Membership Rewards points to 30,000 Membership Rewards points until 19th July 2022. This card is free for the first year.

American Express Amex Gold

American Express Preferred Rewards Gold

Your best beginner’s card – 30,000 points, FREE for a year & two airport lounge passes Read our full review

American Express Platinum card Amex

The Platinum Card from American Express

30,000 points and an unbeatable set of travel benefits – for a fee Read our full review

Run your own business?

We recommend Capital On Tap for limited companies. You earn 1 Avios per £1 which is impressive for a Visa card, along with a sign-up bonus worth 10,000 Avios.

Capital On Tap Business Rewards Visa

10,500 points bonus – the most generous Avios Visa for a limited company Read our full review

You should also consider the British Airways Accelerating Business credit card. This is open to sole traders as well as limited companies and has a 30,000 Avios sign-up bonus.

British Airways Accelerating Business American Express card

British Airways Accelerating Business American Express

30,000 Avios sign-up bonus – plus annual bonuses of up to 30,000 Avios Read our full review

There are also generous bonuses on the two American Express Business cards, with the points converting at 1:1 into Avios. These cards are open to sole traders as well as limited companies.

Amex Platinum Business American Express

American Express Business Platinum

40,000 points sign-up bonus and a long list of travel benefits Read our full review

American Express Business Gold

20,000 points sign-up bonus and free for a year Read our full review

Click here to read our detailed summary of all UK credit cards which earn Avios. This includes both personal and small business cards.

(Want to earn more Avios?  Click here to visit our home page for our latest articles on earning and spending your Avios points and click here to see how to earn more Avios this month from offers and promotions.)

Comments (85)

This article is closed to new comments. Feel free to ask your question in the HfP forums.

  • Tw33ty says:

    Guess this will have a lot of people signing up to the likes of the Mercedes-Benz emissions bypass one now, and more cases for ba.

    Choo Choo, all aboard the gravy train…

  • The Original David says:

    “Do not email me from your personal email account”

    … but anonymous emails are welcome…? 🙂

    • Tarmohamed says:

      This reminded me of studying law at university 😂

      • Peter Ould says:

        Tee hee.

        My father was a barrister and we grew up discussing slugs and ginger beer bottles over breakfast. Now I deal with contracts every day of my life, and am trying to teach my kids that words and what they precisely mean are really important.

    • Pb says:

      I think an anonymous letter safer .

    • Rui N. says:

      “You might think that; I couldn’t possibly comment”

    • Mike says:

      Or just publish it in comments !

      • Rob says:

        I will have to delete it due to contempt of court risks.

        Same reason I will need to delete it if anyone posts the reason for Michael Gove’s divorce ….

        • A says:

          There is no risk unless and until the settlement is actually approved at court, and you could comply by deleting at that time.

          But up to you if you want to take a very conservative positive to mitigate risk

        • Yuff says:

          Has he been doing a Hancock 🤣

          • Rantallion says:

            The Spectator published in 2016 some interesting speculation about Gove.

          • Sideshowbob says:

            With a GB news presenter 😂

          • Jonathan says:

            Twitter is full of all sorts of scurrilous rumours.

        • J says:

          Is it because he’s Michael Gove?

        • Keely says:

          I had zero interest in his divorce until I read this …now I feel I need to google it 🤣

          • Number9 says:

            Me too! It was obvious when she started losing loads of weight and taking more care of her appearance something was going on. I think he would prefer a mr gove than a mrs gove.

          • Yuff says:

            Number 9

            🤣

          • Nick says:

            Oooohhh now I also want to know!!

  • gareth says:

    Where can I sign up!!?

    • Paul Pogba says:

      Too late. I didnt join either but I might next time. If the rumours of another breach are true they dont look like a company that learmt anything.

      • Ls says:

        Yup. It’s almost like they only learn when lots of people sue them for lots of money.

        • Paul Pogba says:

          The cost of paying off customers and solicitors needs to exceed their investment in IT before it will improve.

  • Paul says:

    Rob, is your senior legal figure able to share a ballpark amount that would be typical of similar cases? i.e. are we talking £50 vs £500 vs £5000?

    • Andrew says:

      The lawyers website said “up to £2000” when they were trying to get signups.

      • Tw33ty says:

        Even if it only £50, of the 460000 people not part off the claim, im sure many will jump on the bandwagon.

        If it’s for more, might be a new ppi advert style boom on TV.

  • John says:

    I didn’t sign up because the terms stated that I might be required to attend court or something at any time and if I didn’t I might be liable for the law firm’s costs.

    • BSI1978 says:

      Yup, seem to recall the discussion at the time on here centred on this; & presumably the costs could/will still eat into any award. Or is that for BA to cover?

      • JDB says:

        In a case like this it is likely BA will have agreed, as part of the settlement, to pay the claimant’s costs (and their own) but quite likely an agreed figure less than the full sum. The balance will come out of the settlement. If we see some headline figure for the settlement, you can’t simply divide that by 16,000 claimants as the un-recovered costs, success share and insurance etc. will eat a huge chunk.

        • Claire says:

          I’m not sure that it will be equally divided as claimants were affected differently. For example some suffered financial loss, some emotional distress, some both and I think this is taken in to consideration when dividing the money then – 30% to the law firm.

        • Claire says:

          Sorry misread “can’t” for “can”

    • ChrisW says:

      Class actions don’t work like that. The law firm takes on all the risk and then takes a huge chunk of the payout if there is one.

      • JDB says:

        They don’t take all the risk, the biggest of which is paying the other side’s costs if you lose. They will almost certainly have taken out ATE insurance, the premium for which will be paid for out of the settlement in addition to the % success fee.

      • Rob says:

        It was true that a selection of claimants would need to appear in court.

        • 1ATL says:

          According to the information, BA settled out of court before anyone had an opportunity to see the inside of a courtroom and give any evidence of wrong doing. People genuinely affected by the data breach presumably still have the opportunity to turn down the kind offer of an out of court settlement and take it to the courtroom if they so desire?

  • Ian says:

    I hate this compensation culture. BA acted promptly to mitigate any effects by providing a year’s subscription to Experian. Can anyone out there honestly say they lost anything?
    I would have thought most HfP readers would be more interested in flying again and doing their best to help our flag carrier after the pathetic lack of support from Govt.

    • A says:

      You’re right, I imagine it would be beyond the fraudsters to wait for 12 months wouldn’t it

      • Chrisasaurus says:

        They don’t need to wait – the fraudsters business model doesn’t rely on the victim never finding out!

    • Vic says:

      I too hate compensation culture. My data was breached at BA and shortly afterwards my eBay, Netflix and Spotify accounts were hacked. Someone tried to buy an iPad on eBay but I spotted it in time. Some of my hacker’s musical choices actually weren’t that bad! All happened shortly after the data breach but who knows whether they were linked and I guess could have been much worse.
      I did have a look at the SPG link and stupidly gave my number. I was inundated with texts and calls afterwards that, quite frankly, put me off. I decided not to pursue it.
      I’ve got a very good status with BA and I suppose I also didn’t want to jeopardise that.

      • Paul Pogba says:

        I think we’re in an age where you should use a different password for every business you deal with so if anything is hacked or leaked it ringfences the damage. I use a separate alias email address for BA now that only they have been issued so if it ever ends up on the dark web I’ll know its a result of their shoddy work.

        • Nick says:

          Agreed – if you have a gmail or hotmail/outlook account, you can also use a different email alias and password for each account by using the + symbol, with all emails going to the same address. ie [email protected] will be delivered to [email protected].

          This, coupled with a different password per account and two factor authentication, is the only way to mitigate most of the opportunistic hackers.

          Probably over the top, but having had multiple accounts breached using credential stuffing, this is something I now adopt.

    • Chris Heyes says:

      Ian I Agree tongue in cheek there should be no compensation if BA or any other Airline fail to get you to your destination You should just take the loss on the chin
      Why should they have to give you your flight money back
      After all it’s not the Airlines fault you couldn’t get into the country lol

    • Paul Pogba says:

      I didn’t join because I’m not one for kicking somebody when they’re down (and because I have an Avios balance I don’t want to lose) but there is only so long you can give any company the benefit of the doubt. *IF* there has been another breach and my details are involved I will have lost patience. I’ve never killed (or even harmed) anyone when I speed but that doesn’t mean I shouldn’t be fined if I’m ever caught or that I shouldn’t avoid doing it in the first place.

    • Claire says:

      I can .. I cancelled the holiday I had booked during the breach and I asked BA to refund me but they refused. I didn’t trust the original information that the travel details had not been stolen and I was correct to not trust. BA were adamant they were not going to refund me and showed complete disregard towards my situation, so I for one did absolutely feel justified in joining the action.

    • Andy says:

      I did sign up at the start (although I wouldn’t now after the troubles BA have been through)

      I was really annoyed how they dealt with me at the time. My card details were in the breach and BA admitted that. I had a fraudulent purchase pop up on my phone a month or so later for a substantial amount of money. I had to spend two hours on the phone at a close friend’s 40th birthday party sorting it out. I was then without my card for three weeks due to going on holiday. I missed out on around 2000 Avios of spend during that time. Not the end of the world. But I got in touch with BA and explained the situation: I asked for a goodwill gesture of half the avios I was missing. There refused and then I got the email about signing up for the class action so I did.

      If BA had just thrown me 1000 Avios I’d have gone away at the start

      • Yuff says:

        I think I may have had an email but like others I don’t like this money for nothing culture. I am fairly sure if they had used my details the card company would have refunded me and I remember cancelling some cards as well.
        A little bit inconvenient, yes, but worth £500 £2k no.
        I don’t agree with ambulance chasers and this is just another scheme like that.

    • Ben says:

      I am a claimant, and I also work in information security. The reason I signed up to this litigation is that BA were completely unresponsive to my followup requests for more information, utterly unapologetic, and stonewalled requests for reasonable compensation.

      Their foolish cost-cutting put me and my family in harm’s way because of my work, and I want to take every possible step to make sure they learn from this lesson, in particular to stop outsourcing mission-critical IT to the cheapest bidder.

      • Brian W says:

        How exactly were your family put in ‘harms way’ by your card data being breached @Ben?

  • Andrew says:

    So presumably there will be lots of other law firms going after this now so we can sign up with one of those.

  • TimM says:

    I would have thought it would have been better for BA to let it go to court as the court had imposed a deadline for those affected to join the case. Now it appears both open-ended and inviting others to jump on the bandwagon. We shall see what emerges, or maybe we won’t?

    • JDB says:

      There isn’t a bandwagon worth jumping on. Any sum received will be de minimis as the ‘victims’ of which I was one have in reality suffered nothing and to the extent any ‘victim’ could prove actual loss they would have been paid out in full a while ago. We don’t have punitive damages in England in the same way as the US. The purpose of the court process is to put the claimant back into the position they would have been if the breach had not occurred.

      • Peter Ould says:

        This is not quite true. Since Vidal-Hall vs Google, UK courts (certainly English and Welsh ones) have seen damages for data protection breaches being not limited to just the fiduciary loss. Certainly it wouldn’t run into tens of thousands (in the way that US punitive claims do), but a sum around £1000 is not unreasonable even if no actual fraud was committed on the card (and if it was, then more).

        I would anticipate a sum in the top end of three figures, minus 30% for expenses. Coming away with £500 or more would seem a reasonable expectation (and in my case it’s all going to the local foodbank).

        • RussellH says:

          As someone who issues foodbank vouchers, a big thank you for donating!

          • Peter Ould says:

            We had a very successful year at work and we did share the fruits of that over the winter.

This article is closed to new comments. Feel free to ask your question in the HfP forums.

The UK's biggest frequent flyer website uses cookies, which you can block via your browser settings. Continuing implies your consent to this policy. Our privacy policy is here.