British Airways has settled a legal claim by some of the 420,000 people affected by a major 2018 data breach.
The breach affected both customers and BA staff and included names, addresses, and payment-card details.
The Information Commissioner’s Office handed BA its largest fine to date, of £20m, over the “unacceptable” failure to protect customers.
But BA’s settlement – the amount of which remains confidential – did not include any admission of liability.
Qualifying claimants
While collective legal action is not as common in the UK as similar class-action suits in the US, group actions do happen.
Law firm Pogust, Goodhead, Mousinho, Bianchini and Martins earlier this year said the BA compensation claim had become “the largest group-action personal-data claim in UK history”, with more than 16,000 affected people involved.
And on Tuesday, PGMBM, the lead firm in the action, announced the settlement included compensation for “qualifying claimants who were part of the litigation”.
But because the terms of the settlement are confidential, it is unclear how many of the 16,000 will receive a payout – or how much BA will end up paying.
British Airways fined £20m over data breach
Gang behind huge cyber-attack demands $70m
The ICO’s multi-million-pound fine “did not provide redress to those affected”, PGMBM chairman Harris Pogust said.
“This settlement now addresses that.”
BA issued a brief statement saying it was “pleased we’ve been able to settle the group action”.
It apologised to customers and reiterated its stance it had acted promptly when it had discovered the problem.
The settlement may now draw a line under the long-running and high-profile data breach.
Following an investigation, the ICO initially said it planned to fine BA a record-breaking £183m for the 2018 incident.
But it lowered that amount substantially after representations from BA.
In its penalty notice of October 2020, the ICO said BA had argued penalties should be “significantly reduced or not imposed at all” because of the financial hardship airlines faced during lockdowns, when few flights were running.
And the ICO had taken this into account when lowering its fine to £20m.