This article is more than 1 year old

British Airways data breach lawsuit settled: Airline coughs up potentially millions to make sueball bounce away

And a third of that's going into the lawyers' pockets

British Airways has settled the not-quite-a-class-action* lawsuit against it, potentially paying millions of pounds to make the data breach case in the High Court of England and Wales go away.

PGMBM, one of the law firms which brought the group litigation against BA to the High Court, said in a statement that the case was settled on "confidential" terms.

"The resolution includes provision for compensation for qualifying claimants who were part of the litigation. The resolution does not include any admission of liability by British Airways Plc," said PGMBM.

The lawsuit was based on the 2018 BA data breach, where the credit card details of 380,000 people were stolen thanks to a Magecart infection on its payment processing pages.

The airline had been saving card details in plain text since 2015 and hadn't implemented MFA across the board, as we reported when regulators fined BA for its pisspoor data security practices – including saving a Windows domain admin username and password in plain text.

A BA spokesman said: "We apologised to customers who may have been affected by this issue and are pleased we've been able to settle the group action. When the issue arose we acted promptly to protect and inform our customers."

A PGMBM spokesman confirmed to The Register that today's settlement - which includes no admission of wrongdoing - still counts as a win, so its no-win no-fee promise to individuals who signed up to receive cash payouts still holds true. With legal fees capped at 35 per cent of the total payout from BA, this is a bumper payday for the lawyers.

Law firm Keller Lenkner said on its webpage advertising for British Airways claimants: "In our experience, and looking at similar cases, compensation of around £2,000 per claimant (on average) seems likely."

Sky News reported this morning that 16,000 people had applied to be part of the group litigation order (GLO), meaning the airline may have paid around £32m – though potentially less – to prevent the case going to trial. It was pencilled in at the High Court for a trial next summer before today's settlement news broke. Neither side would comment on the settlement sum.

The Information Commissioner's Office fined BA £20m for the breach last year, having previously threatened to impose a 747-sized penalty. The impact of the COVID-19 pandemic on the airline's finances was one of the main reasons for the fine being cut so drastically.

Back in 2018 when it was first mooted, the lawsuit was said to be worth up to £500m if every single eligible customer signed up.

Harris Pogust, chairman of PGMBM, said in the law firm's statement: "The pace at which we have been able to resolve this process with British Airways has been particularly encouraging and demonstrates how seriously the legal system is taking mass data incidents. This is a very positive sign as we look ahead to what will be an even bigger case against EasyJet relating to their 2020 data breach, as well as other similar international actions."

That latter case is still grinding through the courts. If all nine million people eligible to sue Easyjet for that airline's 2020 data breach were to sign up for that, it could cost the orange carrier up to £18bn. ®


Not everything went the lawyers' way in the BA litigation. A few months ago the law firms driving the GLO lost an attempt to make BA pay the costs of their adverts drumming up customers for the case, leaving them on the hook for £433,000. Small change in the world of data breach-chasing lawyers.

* This case, specifically, was a group litigation order (GLO) - you can read more on collective litigation in English courts here.

More about

More about

More about


Send us news

Other stories you might like