Maximise your Avios, air miles and hotel points

British Airways agrees to pay compensation in the 2018 data breach lawsuit

Links on Head for Points may support the site by paying a commission.  See here for all partner links.

British Airways has agreed to settle the lawsuit that was heading towards the courts on the back of the 2018 data breach.

If you signed up for the class action lawsuit, a modest financial sum (the current amount is unclear) will be heading your way soon.

Can everyone else impacted claim the same amount of money? I took some unofficial legal advice on your behalf.

British Airways agrees to pay compensation in 2018 data breach lawsuit

What is the background to the BA data breach?

Between June and 5th September 2018, the data of people making a transaction at or BA Holidays was compromised and passed to an unknown third party.

BA originally stated that the following data was shared:

  • email address
  • postal address
  • credit card number
  • expiration data
  • CVV

….. but this was later found to also include log in and travel booking details as well name and address information.

Passport and frequent flyer data was not compromised as that is not transmitted during the payment process.

500,000 people were impacted by the breach.  If you were included, you will have received various emails from British Airways at the time.

The Information Commissioner’s Office (ICO) was not impressed.  In July 2019 it proposed a fine of £183 million.  This was eventually reduced to £20 million, primarily because of the impact of covid on the airline, although it was made very clear that BA had acted illegally in its treatment of passenger data.

The £20m did not go to impacted customers.  It was divided up between the various European data authorities, with the UK share going directly to the Treasury.

What happened with the lawsuit?

In October 2019, Mr Justice Warby gave permission for a passenger-led case to proceed via a group litigation order. This is a new form of legal process which works along the lines of the class action lawsuits seen in the United States.

Enthusiasm to join the suit was muted. Only 16,000 people had signed up by January 2021 after 18 months of efforts, representing just 3% of those impacted.

British Airways agrees to pay compensation for 2018 data beach to settle lawsuit

What does the British Airways settlement meant?

There was a report in the Financial Times in January which said that British Airways had agreed to settle, although this was denied by the lawyers behind the group litigation order. The story does appear to have been correct, however.

The following letter was circulated yesterday by one of the legal groups involved in the case:

RE: Your British Airways Data Breach Claim (the “Data Claim”)

Following PGMBM (formerly SPG Law)’s engagement to represent you in relation to this claim, we are delighted to confirm that on 5 July, British Airways (“BA”) agreed to settle the group claim brought by this firm and others, on your (and other claimants’) behalf.

The settlement has been reached with no admission as to liability. This means that BA does not admit that it has breached the law or its duty to you for the data breach in question – but BA has decided to pay a financial settlement now, rather than have to continue to defend the matter further through the Courts.

We will write to you individually, with confirmation and an explanation of, the compensation amount due to be paid to you, via our authorised payment agents, Shieldpay. However, under the terms of the settlement that has been reached with BA you must keep all information about it – including the amount paid to you – strictly confidential, or BA may be entitled to take legal action against you.

There is no indication as to what the sum involved may be.

How does this impact the other 485,000 people hit by the data breach?

I spoke to a senior legal figure – who happens to be a friend of mine as well – last night. To paraphrase his thoughts, and he admits that he is not a specialist in this area of law:

  • British Airways is unlikely to be obliged to offer a settlement to the other 485,000 people impacted by the breach
  • However, it will be very difficult for British Airways to defend itself against future claims. It would be logical for more suits to emerge, on the basis that it will be easy to sign up defendants now that the presumed eventual settlement amount will be known.
  • There is little logic in BA failing to admit that it broke the law over the breach given that the ICO has already found British Airways culpable and has issued a fine as punishment.

We need to see how this turns out.

Please do not tell us what your settlement is

If you are involved in the data breach, please do not email me from your personal email account with details of the settlement when it is known to you.

If we choose to publish the information, it is possible that British Airways will seek an injunction to make us hand over the names of the people who supplied us with the data.

No-one on the Head for Points team took part in the group litigation order, so we are not bound by the settlement agreement. However, my legal friend tells me that HfP may be in contempt of court if it does publish the settlement figure, if the out of court settlement is legally ratified. Let’s see how we go.

How to earn Avios from UK credit cards

How to earn Avios from UK credit cards (June 2024)

As a reminder, there are various ways of earning Avios points from UK credit cards.  Many cards also have generous sign-up bonuses!

In February 2022, Barclaycard launched two exciting new Barclaycard Avios Mastercard cards with a bonus of up to 25,000 Avios. You can apply here.

You qualify for the bonus on these cards even if you have a British Airways American Express card:

Barclaycard Avios Plus card

Barclaycard Avios Plus Mastercard

Get 25,000 Avios for signing up and an upgrade voucher at £10,000 Read our full review

Barclaycard Avios card

Barclaycard Avios Mastercard

5,000 Avios for signing up and an upgrade voucher at £20,000 Read our full review

There are two official British Airways American Express cards with attractive sign-up bonuses:

British Airways American Express Premium Plus

25,000 Avios and the famous annual 2-4-1 voucher Read our full review

British Airways American Express

5,000 Avios for signing up and an Economy 2-4-1 voucher for spending £15,000 Read our full review

You can also get generous sign-up bonuses by applying for American Express cards which earn Membership Rewards points. These points convert at 1:1 into Avios.

American Express Preferred Rewards Gold

Your best beginner’s card – 30,000 points (TO 16TH JULY), FREE for a year & four airport ….. Read our full review

The Platinum Card from American Express

40,000 bonus points and a huge range of valuable benefits – for a fee Read our full review

Run your own business?

We recommend Capital on Tap for limited companies. You earn 1 Avios per £1 which is impressive for a Visa card, along with a sign-up bonus worth 10,500 Avios.

Capital on Tap Business Rewards Visa

10,000 points bonus – plus an extra 500 points for our readers Read our full review

There are also generous bonuses on the two American Express Business cards, with the points converting at 1:1 into Avios. These cards are open to sole traders as well as limited companies.

American Express Business Platinum

40,000 points sign-up bonus and an annual £200 Amex Travel credit Read our full review

American Express Business Gold

20,000 points sign-up bonus and FREE for a year Read our full review

Click here to read our detailed summary of all UK credit cards which earn Avios. This includes both personal and small business cards.

Comments (85)

This article is closed to new comments. Feel free to ask your question in the HfP forums.

  • IslandDweller says:

    Alex. Yes, Amex contacted me about my card, and informed me they’d taken some security measures on my Amex (I was never told what they were) though I’ve had nothing from BA directly.

  • Bradley says:

    If you signed up to SPG early they waived all fees, how would that work re settlement, would it work the same

  • Not My Real Name says:

    I was affected by this. My credit card was charged for a TV in the Netherlands, and when I told them I hadn’t authorised the purchase they refunded it, but they refunded it in Euros and the exchange rate had changed in the meantime and I lost £21. It took MONTHS to get that refunded.

    Also, BA said they’d signed me up to a year’s free Experian ProtectMyID service. I received one email from Experian saying I hadn’t activated my account. I clicked the link in the email and it said to enter the passcode or whatever they’d sent me in a separate email. I’d received no other emails, so I asked them to send it again. They said they couldn’t send anything to me because of “data protection”, but then asked me to send my full name, address, email address, and a scan of my passport the very same email address they said they wouldn’t send anything to! Yes, as part of their ProtectMyID service, Experian asked me to send personal data via unprotected email! So, whilst others may have benefitted from this year of free service, i.e. were financially compensated via paying for the cost of that service, I didn’t.

    While I didn’t lose out majorly financially, I lost time in having to get my credit cards changed, and having to call up to get refunds on my credit card.

    Can’t wait to see how much I get, but I won’t tell anyone.

This article is closed to new comments. Feel free to ask your question in the HfP forums.

The UK's biggest frequent flyer website uses cookies, which you can block via your browser settings. Continuing implies your consent to this policy. Our privacy policy is here.