Maximise your Avios, air miles and hotel points

British Airways agrees to pay compensation in the 2018 data breach lawsuit

Links on Head for Points may support the site by paying a commission.  See here for all partner links.

British Airways has agreed to settle the lawsuit that was heading towards the courts on the back of the 2018 data breach.

If you signed up for the class action lawsuit, a modest financial sum (the current amount is unclear) will be heading your way soon.

Can everyone else impacted claim the same amount of money? I took some unofficial legal advice on your behalf.

British Airways agrees to pay compensation in 2018 data breach lawsuit

What is the background to the BA data breach?

Between June and 5th September 2018, the data of people making a transaction at or BA Holidays was compromised and passed to an unknown third party.

BA originally stated that the following data was shared:

  • email address
  • postal address
  • credit card number
  • expiration data
  • CVV

….. but this was later found to also include log in and travel booking details as well name and address information.

Passport and frequent flyer data was not compromised as that is not transmitted during the payment process.

500,000 people were impacted by the breach.  If you were included, you will have received various emails from British Airways at the time.

The Information Commissioner’s Office (ICO) was not impressed.  In July 2019 it proposed a fine of £183 million.  This was eventually reduced to £20 million, primarily because of the impact of covid on the airline, although it was made very clear that BA had acted illegally in its treatment of passenger data.

The £20m did not go to impacted customers.  It was divided up between the various European data authorities, with the UK share going directly to the Treasury.

What happened with the lawsuit?

In October 2019, Mr Justice Warby gave permission for a passenger-led case to proceed via a group litigation order. This is a new form of legal process which works along the lines of the class action lawsuits seen in the United States.

Enthusiasm to join the suit was muted. Only 16,000 people had signed up by January 2021 after 18 months of efforts, representing just 3% of those impacted.

British Airways agrees to pay compensation for 2018 data beach to settle lawsuit

What does the British Airways settlement meant?

There was a report in the Financial Times in January which said that British Airways had agreed to settle, although this was denied by the lawyers behind the group litigation order. The story does appear to have been correct, however.

The following letter was circulated yesterday by one of the legal groups involved in the case:

RE: Your British Airways Data Breach Claim (the “Data Claim”)

Following PGMBM (formerly SPG Law)’s engagement to represent you in relation to this claim, we are delighted to confirm that on 5 July, British Airways (“BA”) agreed to settle the group claim brought by this firm and others, on your (and other claimants’) behalf.

The settlement has been reached with no admission as to liability. This means that BA does not admit that it has breached the law or its duty to you for the data breach in question – but BA has decided to pay a financial settlement now, rather than have to continue to defend the matter further through the Courts.

We will write to you individually, with confirmation and an explanation of, the compensation amount due to be paid to you, via our authorised payment agents, Shieldpay. However, under the terms of the settlement that has been reached with BA you must keep all information about it – including the amount paid to you – strictly confidential, or BA may be entitled to take legal action against you.

There is no indication as to what the sum involved may be.

How does this impact the other 485,000 people hit by the data breach?

I spoke to a senior legal figure – who happens to be a friend of mine as well – last night. To paraphrase his thoughts, and he admits that he is not a specialist in this area of law:

  • British Airways is unlikely to be obliged to offer a settlement to the other 485,000 people impacted by the breach
  • However, it will be very difficult for British Airways to defend itself against future claims. It would be logical for more suits to emerge, on the basis that it will be easy to sign up defendants now that the presumed eventual settlement amount will be known.
  • There is little logic in BA failing to admit that it broke the law over the breach given that the ICO has already found British Airways culpable and has issued a fine as punishment.

We need to see how this turns out.

Please do not tell us what your settlement is

If you are involved in the data breach, please do not email me from your personal email account with details of the settlement when it is known to you.

If we choose to publish the information, it is possible that British Airways will seek an injunction to make us hand over the names of the people who supplied us with the data.

No-one on the Head for Points team took part in the group litigation order, so we are not bound by the settlement agreement. However, my legal friend tells me that HfP may be in contempt of court if it does publish the settlement figure, if the out of court settlement is legally ratified. Let’s see how we go.

How to earn Avios from UK credit cards

How to earn Avios from UK credit cards (June 2024)

As a reminder, there are various ways of earning Avios points from UK credit cards.  Many cards also have generous sign-up bonuses!

In February 2022, Barclaycard launched two exciting new Barclaycard Avios Mastercard cards with a bonus of up to 25,000 Avios. You can apply here.

You qualify for the bonus on these cards even if you have a British Airways American Express card:

Barclaycard Avios Plus card

Barclaycard Avios Plus Mastercard

Get 25,000 Avios for signing up and an upgrade voucher at £10,000 Read our full review

Barclaycard Avios card

Barclaycard Avios Mastercard

5,000 Avios for signing up and an upgrade voucher at £20,000 Read our full review

There are two official British Airways American Express cards with attractive sign-up bonuses:

British Airways American Express Premium Plus

25,000 Avios and the famous annual 2-4-1 voucher Read our full review

British Airways American Express

5,000 Avios for signing up and an Economy 2-4-1 voucher for spending £15,000 Read our full review

You can also get generous sign-up bonuses by applying for American Express cards which earn Membership Rewards points. These points convert at 1:1 into Avios.

American Express Preferred Rewards Gold

Your best beginner’s card – 30,000 points (TO 16TH JULY), FREE for a year & four airport ….. Read our full review

The Platinum Card from American Express

40,000 bonus points and a huge range of valuable benefits – for a fee Read our full review

Run your own business?

We recommend Capital on Tap for limited companies. You earn 1 Avios per £1 which is impressive for a Visa card, along with a sign-up bonus worth 10,500 Avios.

Capital on Tap Business Rewards Visa

10,000 points bonus – plus an extra 500 points for our readers Read our full review

There are also generous bonuses on the two American Express Business cards, with the points converting at 1:1 into Avios. These cards are open to sole traders as well as limited companies.

American Express Business Platinum

40,000 points sign-up bonus and an annual £200 Amex Travel credit Read our full review

American Express Business Gold

20,000 points sign-up bonus and FREE for a year Read our full review

Click here to read our detailed summary of all UK credit cards which earn Avios. This includes both personal and small business cards.

Comments (85)

This article is closed to new comments. Feel free to ask your question in the HfP forums.

  • David says:

    I think the law firms work for their own interests first.

    I would presume that the amount offered would fall well short of their initial amounts claimed, which only would induce people to sign up.

    However, it would have to be of an amount sufficient to cover their costs and give them a profit, otherwise why accept given their confidence?

    But if modest that might mean difficulty signing new people up.

    It would be interesting to see what effect this has for other cases. I’d imagine the majority of participants would have not seen anything done with their data (although does not rule that something might in future). So this may put a ballpark price on an amount received for a data breach; I don’t see why the penalty should change dependent on company as in theory the data was leaked to the same people.

    • A says:

      Law firms who don’t put their clients interests first are in breach of their regulatory obligations. It’s one of the SRA’s regulatory principles that solicitors must act in the best interests of their clients.

      • Chrisasaurus says:

        Well put it another way – do you see a law firm starting a class action that they felt wouldn’t pay out enough to make them a profit?

        • A says:

          No, of course not – nobody is starting a class action if they think it won’t be profitable. That’s economics.

          But once they’ve on-boarded clients, they aren’t going to accept an offer of £x when £x+y is reasonably likely to be achievable, both because of economics but also their duty to their clients.

          • Rob says:

            They might, because there are only 16,000 people to split the costs between.

            Let’s imagine it would be another £1m of legal fees to go to trial. This is £62.50 per person. The law firms take 30% of your cash. This means that they need to be convinced that the trial would get at least £208 more than BA’s offer just to break even – and they are gambling £1m on it.

    • Jonathan says:

      The 30% is the success fee the law firm take as a pure profit bonus. Their costs are deducted from the total settlement before they work out the individual compo amount.

      They may have negotiated for their fees to be paid separately by BA but either way they’re well covered.

    • Alan says:

      There has been speculation of around £2,000, based on that being the ballpark figure for other similar data breaches.

      What I don’t understand, is how this puts an end to the matter. Won’t it just kick of a rash of further similar claims, or a demand that all affected clients be given the same compensation.

      • Rob says:

        There is no ballpark figure because there has never been a group litigation order of this size.

        BA knows that it potentially owes 500,000 people this money so it can’t be more than a nominal sum, or at least it will be once the lawyers have deducted their fees and 30% profit.

        • Adam says:

          PGMBM had a client panel onboard with this. I would have assumed that this panel would have been satisfied with the numbers quoted else they would not have agreed.

          As mentioned above, the solicitors emailed at the end of last year after newspaper speculation that payouts could be in the £6,000-£16,000pp range. They said this was highly unrealistic but expected that £2,000pp was a reasonable expectation.

          Given they are legally obliged to work with the best interests of their clients, it would certainly be disappointing if they have decided to take much less than this as a settlement after advising clients if they’re own expectations of compensation.

          Guess those affected will know within a week or two.

          • Rob says:

            All they need to say is that they were not 100% certain of winning (which obviously would always be true) and something was better than potentially nothing ….

  • Andrew says:

    Oh, I do love a “Non-Disclosure Agreement”.

    Lawyers on here feel free to correct me if I’m wrong, but from experience I’ve found that there is nothing to stop a husband, wife, lover or similar disclosing a value that’s been credited to their joint current account.

    A former colleague’s wife, came marching into our office and told us all exactly how much had “mysteriously” been paid into their joint account by our company. There was a massive hoo-hah about it, and threats of the payment being recovered due to the alleged breach of the NDA. Eventually a compensation payment was made to the wife for the poor experience she had as a consequence.

    Although, now I’m thinking about it… Is it a breach of an NDA for individuals to sign up to or remain with services like Nectar Connect where you share your transactional details through openbanking in return for points?

    • Mouse says:

      Why did your colleague receive a mysterious payment and why did their wife want to tell you all about it?

      • Andrew says:

        The generous and mysterious payment arrived shortly after my former colleague had a brief chat with our company’s lawyer on the Court steps.

        Because he was forbidden from doing so, and she wanted everyone to know who won.

    • Tim says:

      You are correct about an NDA. An NDA is just a contract and a contract is only binding on a party to the contract (although in your example the husband could agree in an NDA contract to “precure” the non-disclosure by his wife – then if the wife disclosed he would be in breach of the contract even if she could not be).

      But the threat of contempt of court in this case binds everyone because it is not a contract. Essentially the requirement of secrecy is included in the judges court order. Anyone can be in breach of a court order (although there are jurisdictional issues- remember when Jack Straw’s son was arrested for smoking pot, an English Court issued an injunction (which is a court order) preventing this information being published, but the Scotsman, a newspaper published in Scotland and therefore outside the jurisdiction, published the details.

  • Alex says:

    I was always suspicious that I was affected by this as I had my BA Amex used fraudulently with my postal address used as the billing address (suggesting my address, cvc, card number all stolen, and it wasn’t stored on many sites!) . But I was never contacted that I was affected, in fact BA confirmed to me I wasn’t

    Is anyone else in a similar position where they suspect they might have been affected but aren’t on BA’s list?

    • Adam says:

      My personal circuses with this.

      I had email saying my details had been obtained and then 7-10 days after I had that card used fraudulently for 3 separate purchases at Harrods and 2 more at an online clothing company.

      I managed to contact the card company and the Harrods purchases were stopped prior to shipping but the other two went through.

      I subsequently spent a large amount of time and effort via calls and emails for this to finally be refunded – this was 5 months after the fact. I then had a further battle to get the interest accrued on these purchases refunded as it was increasing while the purchases were “frozen”.

      Ultimately – was I out of pocket? Financially, no. But my time is worth something.

      How much? I let the solicitors decide that and I will accept whatever figure that is.

      I, like many others, see this as a principle that BA needs to understand and that only appears to happen when it hours their wallet.

      For further context. The card used was a card I only used on BA, yet BA themselves contested that although my card was used fraudulently, they did not accept (ie I couldn’t prove) it was as a result of their breach – and is that not that actually bothers me the most.

      • Adam says:

        Apologies for some of the typo’s and auto correct.

        Last line should be. “And that’s what actually bothered me the most “

        Shouldn’t have referenced a circus in the first line either but in hindsight, it’s actually not far of the truth.

        • meta says:

          Somebody used my BAPP to buy £2k TV at John Lewis, just after midnight on New Year’s. They probably thought I won’t notice it then, but I had a notification appearing on my phone. Called Amex fraud dept. immediately and waited about half an hour. They reissued and the card arrived the following week. I also received a letter from Amex stating that it was possibly linked to BA data breach. I also received a letter from John Lewis stating that somebody tried to collect the TV, but they didn’t have relevant documentation so they stopped them.

      • JDB says:

        While you know and I know that your time is worth something, the Court will not really attribute any value to it. The Court is just concerned with putting you back into the original position, not enriching you. Although this breach was a real pain for many people it is difficult to provide that any subsequent use of an involved card did actually relate directly to the breach and usually the card providers/bank will refund you.

        • Adam says:

          I agree in part but given I was “made whole” in that I didn’t end up losing financially, anything I get from this settlement in my mind is the compensation for my time and effort. I’m pretty relaxed about these things and the reason I use credit cards (other than points) is that is my money until it goes wrong and then it’s”their” money.

          Ultimately, from the email I received, I will get something and I will not question our quibble over whatever that amount is.

          these guys and girls working on my behalf have convinced BA/a court that my time was with something and I will see what that is in due course.

    • Tracey says:

      Yes. Exactly the same. BA Amex fraud, to such an extent that the Amex fraud team couldn’t track down how the fraudster had managed to get certain details. Fraudsters had even obtained my mother’s maiden name.

      • LS says:

        This is information you can never put back in the bottle, and your info will forever be available online on the dark web.
        Beware: you may get a CIFAS fraud marker on your account, which will affect your ability to get future credit.
        I have received incessant calls claiming to be HMRC/Lloyds/Royal Mail etc all knowing something about me, and trying to get me to pay/confirm my details etc. They all started around the BA breach time. I can’t show one cause the other. I am *very* careful with my details normally, so quite annoyed.

  • Luke says:

    As someone who was genuinely impacted by the data breach (my credit card was replaced shortly before a flight due to this, I threw the old card away when the new one arrived, then realised I needed it to check-in for my Iberia flight, had to rebook with the new card at a ridiculous cost).

    I never signed up for the lawsuit as I was never prepared to go to court in the unlikely event I was asked to, plus I received some of the costs back through the CEDR at the time.

    Congrats to those who did sign up.

    • Alex Sm says:

      Why on Earth do you need a credit card to check in for a flight??

      • Rui N. says:

        Some companies have that on their conditions of carriage, and every now and then check in agents ask for the card use to pay for the reservation. It’s stupid but it’s true!

  • TimM says:

    I did sign up but was concerned that if I failed to provide all necessary information, I would be liable for fees. I only received automated emails reminding me of this, as if I hadn’t supplied copies of all emails and bookings, which I thought I had.

    In recent weeks, the firm I used were fishing for people who had suffered psychological harm as a result of the data breach and were able to offer a professional opinion for the court. I thought that very far-fetched.

    I think I can say without compromising HfP’s or my position, that I have heard nothing about the latest settlement other than what I have read here.

    Now, if Gove & Hancock had been having an illicit affair, that would be excellent tabloid fodder.

  • LS says:

    Has anyone received their email telling them how much money they will get?

  • Super Secret Stuff says:

    This reminds me, my OH had her health details exposed in a hack about a year ago. Still pondering about bringing action against the care provider

  • Alex Sm says:

    British Airways again acts in a very pathetic way. Like they did with refunds: you will not get anything unless you ask for it. In fact, everyone affected by this breach should be offered compensation regardless of whether they joined this lawsuit or not. They are equally entitled to it. And annual subscription for Experian is not enough I’m afraid, they should have offered Avios or cash

This article is closed to new comments. Feel free to ask your question in the HfP forums.

The UK's biggest frequent flyer website uses cookies, which you can block via your browser settings. Continuing implies your consent to this policy. Our privacy policy is here.