Maximise your Avios, air miles and hotel points

Legal fees in British Airways data breach case hit £1,000 to £3,400 per person

Links on Head for Points may pay us an affiliate commission. A list of partners is here.

People who signed up for the British Airways data breach lawsuit via PGMBM, the biggest of the law firms taking part, received their settlement notices yesterday.

We are not allowed to disclose the amount but it was peanuts compared to the huge sums that had been suggested. Here is a press story from January 2021 where one of the law firms involved is suggesting that claimants would receive ‘an average’ of £6,000, implying many would get more. Some chance.

What is not confidential is the bill run up by the lawyers. The size of this bill gives an indication of the scale of the damages it was assumed British Airways would pay, and implies that someone did seriously believe the £6,000 figure.

Legal fees in British Airways data breach case exceed £1,000 per person

The level of legal fees charged varies, oddly. I have seen a Category 1 letter, where there was evidence of fraud based on the leak, allocated over £3,400 of legal costs. Another person in Category 1 was allocated just £1,000.

For a Category 2A claim, where there was no proof that the accessed data was used, the legal fees seem to be around £1,100. On top of this, there were expenses of over £150.

Actual expenses were far higher. As we reported back in February, the lawyers lost a court case where they attempted to include the costs of their TV and social media advertising campaigns in their reclaimable expenses.

PGMBM claimed that it had spent £443,000 on advertising so far and intended to spend another £557,000 before the case was heard. At the High Court, Mr Justice Saini decided that this was general marketing expenditure and was not reclaimable from the client. You can read more in the Law Society Gazette here.

Luckily for claimants, their exposure to legal fees and expenses is capped at 35% of the compensation received.

Without going into numbers, 35% of the settlement amount – at least for those in Category 2 who could not prove that their data was stolen – isn’t going to make much of a dent in the £1,000 to £3,400 of legal fees once the third party expenses and the £1m advertising budget is paid. Those who signed up early were promised 100% of their settlement, meaning even less for the lawyers.

Legal fees in British Airways data breach case exceed £1,000 per person

PGMBM did say that British Airways has made a ‘contribution’ to these costs so there may be some profit for the lawyers at the end of the day. It certainly isn’t a bonanza though.

British Airways may have played this right. It made a settlement offer which was a fraction of the numbers that had been banded around when the lawsuits were launched. There was a real risk that, if the case had gone to trial, the judge would have decided that BA’s offer was reasonable, that the lawyers should have accepted and that the case should be thrown out.

At the very least, the case would probably have proceeded with a final settlement being made at the offer BA suggested, and with the lawyers being saddled with additional legal fees.

At the end of the day, the case has not been a great result for anyone involved.

Looking at online comment elsewhere, you had people originally claiming they were taking part in the action “purely as a point of principle” before turning angry when it turned out that the proceeds were going to get them a weekend in a Holiday Inn rather than a week-long five star holiday. Meanwhile, BA is hit by a cash outlay at the same time as it has to decide whether to make more redundancies, or otherwise start paying staff not to work, as the end of furlough approaches next month.

In the meantime, keep an eye on your social media feeds for ads asking you to join the easyJet data breach case. A quick Google search for “easyjet data breach claim” brings up various firms claiming you can get £2,000 by signing up. I wouldn’t bet on it.


How to earn Avios points from UK credit cards

How to earn Avios from UK credit cards (October 2021)

As a reminder, there are various ways of earning Avios points from UK credit cards.  Many cards also have generous sign-up bonuses!

There are two official British Airways American Express cards. Both have increased sign-up bonuses until 2nd November 2021:

British Airways BA Amex American Express card

British Airways American Express

10,000 Avios for signing up, no annual fee and an Economy 241 voucher for spending ….. Read our full review

British Airways BA Premium Plus American Express Amex credit card

British Airways American Express Premium Plus

40,000 Avios and the UK’s most valuable credit card perk – the 2-4-1 companion voucher Read our full review

You can also get generous sign-up bonuses by applying for American Express cards which earn Membership Rewards points, such as:

Nectar American Express

American Express Preferred Rewards Gold

Your best beginner’s card – 30,000 points, FREE for a year & two airport lounge passes Read our full review

American Express Platinum card Amex

The Platinum Card from American Express

60,000 points and an unbeatable set of travel benefits – for a fee Read our full review

The 30,000 points bonus on Amex Gold runs to 9th November 2021. The 60,000 points bonus on The Platinum Card runs to 2nd November 2021.

Run your own business?

We recommend Capital On Tap for limited companies. You earn 1 Avios per £1 which is impressive for a Visa card:

Capital On Tap Business Rewards Visa

The most generous Avios Visa or Mastercard for a limited company Read our full review

You should also consider the British Airways Accelerating Business credit card. This is open to sole traders as well as limited companies. This card has a limited time offer of 60,000 Avios when you sign up:

British Airways Accelerating Business American Express card

British Airways Accelerating Business American Express

60,000 Avios sign-up bonus – plus annual bonuses of up to 30,000 Avios Read our full review

Click here to read our detailed summary of all UK credit cards which earn Avios. This includes both personal and small business cards.

(Want to earn more Avios?  Click here to visit our home page for our latest articles on earning and spending your Avios points and click here to see how to earn more Avios this month from offers and promotions.)

Comments (144)

  • Dave says:

    I signed up for this right at the start. My personal costs from the fraud worked out around £100. I also had to spend two hours of a good friend’s 40th birthday on the phone to Amex trying to sort the mess out. I contacted Ba at the same and complained and suggested a goodwill gesture of 5000-10000 avios would be sufficient compensation.

    They refused so I stayed in the claim. Rob’s comments have made me feel a bit guilty for the impact on Ba staff. I just wish they’d pawned me off with 5000 avios at the start of this as it would have been better for them in the end.

    • Pete M says:

      Fairly certain BA’s insurers will pay out for this.

      • Farid says:

        +1
        Even though their premium will definitely increase a lot afterwards

      • Peter says:

        Can insurers pay out on a court ruling? I don’t think they are allowed to even if they wanted to? I’ll stand corrected but I remember something about the ABI not allowing members to pay for costs caused by unlawful actions, which this would be classed as.

        • John says:

          Yes insurers can indemnify this. Look up cyber insurance. Insurers cannot indemnity criminal penalties (which this isn’t, it’s damages in a civil claim) and are not going to offer policies for deliberate acts.

        • David says:

          It’s not a court ruling.
          It’s a settlement.
          The insurance provider was likely consulted throughout the process,and involved in the decision to settle.

        • Bonglim says:

          I medicine they mostly settle but if your insurer wants to defend your case it will go to court and pay out if you lose.
          So yes they can pay out on a court decision.

  • BP says:

    Personally, I’m just waiting on the BA attackers sending emails purporting to be Sheildpay. That would be genius! Using information that was compromised by the attackers to make the compensation payments seems a bit naive.

    • Ls says:

      Hah! Brilliant. Just input your full banking details here for your payment…

  • Pangolin says:

    I got Cat 2A. My Amex Gold card was cancelled by Amex due to suspicious transactions (blocked at source by Amex profiling) while I was travelling abroad. It took 3 weeks to get a replacement. When I spoke to the Amex rep he said it was likely related to the BA breach but I wouldn’t get anything in writing as it was just a hunch.

    The money from PGMBM is enough for a weekend in Ibis Budget.

    Time to live it up

  • Luke says:

    I was one of those whose card details were stollen, and my credit card was replaced. I then travelled abroad (outbound with Ryanair, return with Iberia) where Iberia wouldn’t let me fly back as I didn’t have the original credit card that I booked the flights with (maybe my own fault for throwing the fraud card away?) at check-in.

    What was even worse was the Iberia flight was full, so they wouldn’t let me buy a new ticket even though one of the seats was booked for me!

    Anyway, went through CMER and BA refunded the flight cost which I accepted. I was still out of pocket a very expensive EasyJet flight that I had to book.

    I didn’t join this lawsuit as I wasn’t prepared to go to court should I very unlikely be asked to go.

    Glad for those who did get a small payout, though I won’t lose much sleep over it.

    • Chris Heyes says:

      Luke What makes you think it was a “small pay-out” those that was in early certainly didn’t get a “small pay-out!

      • Luke says:

        Your value and opinion of a ‘small pay-out’ could be much different than mine. If you’re expecting thousands, you’re S.O.L.

    • Lady London says:

      Umm Luke I’ll bet Iberia was doing everything it could to offload booked passengers on your flight for free without having to compensate people because they’d oversold the flight. Or perhapa combined flights. Or overload due to connecting passengers being added from another flight that was late.

      It’s so rare to be asked to actually produce the card used to pay for a flight and in a disturbing number of cases it appears to be for this reason.

      I even suspect the ability to call on this small print for this reason may be why it’s in some airlines’ ts and cs in the first place. As there’s substantial compensation for denied boarding (a frequently occurring issue in the US aa comparee to Europe mostly). After all, there are many reasons why people’s card numbers change quite frequently including security of periodic card number changes on same account.

      • Nick says:

        Nice assumption, but not quite. I’ve been asked to provide my CC on a few occasions, it’s quite a standard security protocol. The flights (once I’ve passed the check and boarded) have never been full. The real answer is not to throw away an expired (or changed) card until all travel booked on it has been taken. They don’t validate the card with a further authorisation, just check it’s your card.

  • Dave1985 says:

    Limited cash pile? 🤣

  • Happy says:

    I also approached BA after I received the data breach email on 07-Sep-2018 and offered to resolve the matter amicably but left the door open for them to make a reasonable offer to compensate the loss of my data (the underlying intimation being a reasonable offer of Avios in settlement and I would have bit their hand off at 20k Avios).

    The email response from BA CS was a bit arsey, to say the least, and didn’t even bother to respond as that did get my back up and decided on the group claim.

    Anyway, I now qualify for category 1 settlement and quite right too. 20k Avios would have been cheaper for them, though.

    Hopefully BA can sort out their IT issues and get with the digital age, otherwise it’s going to cost.

  • Will says:

    Some very sour comments (people) on here. Be glad for your couple of hundred quid (or whatever you got) for little or no inconvenience.

  • Alistair Smith says:

    BA informed me that I was a ‘victim’ of the data breach having booked a flight to Japan in the period affected. Luckily no harm ever came of it and when it came to taking the flight I was pleased to have been upgraded to first class, which I considered to be more than adequate compensation. As an aside I always view adverts quoting “up to £x” with a healthy dose of skepticism.

    I wish in cases like this that the courts would call in a few more of these bandwagon jumping ‘victims’ to explain in detail exactly how they have been disadvantaged, and, had it not been for the adverts all over facebook what action they would have taken to claim recompense from the company for what they had suffered.

    Anybody who had been genuinely disadvantaged should of course be compensated, but all that most of these chancers have really achieved is putting up the cost of their future flights.

    • Adam says:

      I agree in part with this. However, these companies – for better or worse – make the process possible.

      My card was used fraudulently after the breach and BA’s response was “sorry about that, but who’s to say it was our fault. You’ll need to prove it.”

      I am 99% certain it was as a result of BA as it was a brand new card but how do I prove it – without going down a very expensive route in both time and money.

      Without PGMBM, BA are laughing. They know no one would take them on with all their lawyers.

      They could have made this right by offering some form of compensation/gesture in the form of miles/voucher. They choose not to and this drew a line in the sand. Fine – but they now need to live with the outcome and if that includes compensating those that weren’t affected then so be it.

The UK's biggest frequent flyer website uses cookies, which you can block via your browser settings. Continuing implies your consent to this policy. Our privacy policy is here.