article featured image


British Airways has settled a case brought by customers and staff affected by a massive 2018 data breach that led to personal information being leaked.

PGMBM, one of the law firms which brought the group litigation against BA to the High Court of England and Wales, released a statement saying that the data breach litigation was resolved on confidential terms.

PGMBM Chairman Harris Pogust said:

We are very pleased to have come to a resolution on this matter after constructive mediation with British Airways. This represents an extremely positive and timely solution for those affected by the data incident.


On September 7th, 2018, British Airways revealed that its security systems have suffered a massive breach due to a Magecart infection on its payment processing pages. The British Airways data breach led to over 400,000 customers and staff having their personal data leaked, including:

  • Names
  • Addresses
  • Payment card numbers
  • CVV numbers
  • Usernames and passwords of BA accounts.

As reported by The Register, the airline had been saving card details in plain text since 2015 and hadn’t implemented MFA across the board.

The Information Commissioner’s Office fined BA £20m for the breach last year for failing to protect the personal and financial details of its customers. The ICO previously threatened to fine BA a record-breaking £183m for the 2018 incident. However, the impact of the COVID-19 pandemic on the airline’s finances was one of the main reasons for the fine being so drastically cut.

When it was first mooted back in 2018, the lawsuit was said to be worth up to £500m if every single eligible customer signed up.

In January, PGMBM had revealed that British Airways could face customer claims summing £800m – with payouts of up to £2,000 per person. At that time, it had signed up 16,000 people to its claim against the airline.

The pace at which we have been able to resolve this process with British Airways has been particularly encouraging and demonstrates how seriously the legal system is taking mass data incidents.  This is a very positive sign as we look ahead to what will be an even bigger case against easyJet relating to their 2020 data breach, as well as other similar international actions.


The airline welcomed the settlement saying they are very pleased to have come to a resolution on this matter after constructive mediation, adding that this represents “an extremely positive and timely solution for those affected by the data incident.”

Author Profile

Cezarina Dinu

Head of Marketing Communications & PR

linkedin icon

Cezarina is the Head of Marketing Communications and PR within Heimdal® and a cybersecurity enthusiast who loves bringing her background in content marketing, UX, and data analysis together into one job. She has a fondness for all things SEO and is always open to receiving suggestions, comments, or questions.

Leave a Reply

Your email address will not be published. Required fields are marked *

Protect your business by doing more with less

Book a Demo