Site navigation

British Airways Data Breach Settlement Could Cost £2.4bn

Michael Behr


British Airways

The settlement comes after the ICO issued BA with a £20 million fine last year.

British Airways (BA) aims to enter settlement discussions over a data breach that could see the company paying £2.4 billion to victims.

Two data breaches took place in 2018, one between April and July and another between August and September. They were revealed in September 2018 when the company stated that the personal and financial details of over 420,000 people had been accessed by hackers.

The victims included both customers and staff. Of these, 244,000 BA customers had their payment card numbers and CVV numbers leaked.

BA is set to begin settlement discussions in the first quarter of this year.

The case against the company is being led by law firm PGMBM. Under Article 82 of the EU-GDPR, the victims of the breach are entitled to compensation based on inconvenience, distress, annoyance, and loss of control of their personal data.

People affected by the breach have until March 19 to join the Group Litigation Order (GLO) to claim compensation.

The £2.4 billion settlement could see the victims receive around £2000 in compensation, with some seeing more based on the impact the breach had on the individual.

Consumer action law firm Your Lawyers was appointed to the Steering Committee responsible for the overall conduct of the BA data breach litigation in 2019.

“News that British Airways wants to settle compensation claims, with negotiations set to take place in the first quarter of 2021, is acknowledgement of its wrongdoing in failing to protect customer data,” said director at Your Lawyers Aman Johal in a statement.

“This is incredibly positive news for the victims of the breach and for consumer rights in general, but people must act fast to avoid missing out.”

In a statement from BA, the company said: “We continue to deny liability in respect of the claims brought arising out of the 2018 cyber attack and are vigorously defending the litigation.  We do not recognise the damages figures that Your Lawyers has put forward, and they have not appeared in the claims.”

The Information Commissioner’s Office (ICO) stated that the breach was due to BA’s poor security, including how it treated login, payment, and booking information.

Without adequate security measures in place, and given the scale of the data being processed, the ICO ruled that the company had broken data protection laws.

Investigators found that the company was alerted to the breach by a third party as they failed to detect the attack themselves.

This caused the ICO to hit BA with a planned £183 million fine. This was eventually reduced to £20 million, which is still the largest ever issued by the ICO. The fine was lowered, in part, due to representations from BA and after considering the impact of the coronavirus pandemic on the business.


The settlement comes soon after BA received a £2 billion loan backed by the UK government at the start of the year.

According to the company’s owner, International Airlines Group (IAG) the loan “will be used to enhance liquidity and provide British Airways with the operational and strategic flexibility to take advantage of a partial recovery in demand for air travel in 2021 as Covid-19 vaccines are distributed worldwide.”

The loan comes as additional lockdown restrictions force BA, among other air carriers, to review their business plans for the coming year.

Michael Behr

Senior Staff Writer

Latest News

Data Protection Trending Articles
Energy Government
%d bloggers like this: