British Airways (BA, London Heathrow) has paid an undisclosed sum to settle a claim brought by passengers and staff who were impacted by a massive data breach in 2018, the case’s court-appointed lead solicitors at law firm PGMBM revealed on July 6.

The IAG International Airlines Group-owned flag carrier has already paid a GBP20 million pound (USD27.6 million) fine ordered by the United Kingdom’s governmental Information Commissioner’s Office for failing to protect the personal and payment card details of around 430,000 of its customers and staff.

The 2018 cyber-attack continued unnoticed for two months during the busy summer holiday period before a third party notified the airline. The fine, reduced from GBP183.4 million (USD253 million) due to the pandemic’s financial impact, was the data protection watchdog’s biggest such penalty at the time.

In the latest settlement, PGMBM said in a statement that an agreement had been reached through mediation involving the law firm and the airline, avoiding the need for the claim to proceed to public trial after it was filed last year.

Those affected by the data leak will receive a confidential settlement, it elaborated, adding that the resolution does not include any admission of liability from the airline.

“The pace at which we have been able to resolve this process with British Airways has been particularly encouraging and demonstrates how seriously the legal system is taking mass data incidents,” said Harris Pogust, chairman of PGMBM.

In its own statement, British Airways said it “apologises to customers who may have been affected by this issue and are pleased we’ve been able to settle the group action. [When] the issue arose we acted promptly to protect and inform our customers.”

As well as being the lead solicitors in the BA data breach case, PGMBM said it was also representing “growing numbers of claimants” in a case related to a similar breach at easyJet (London Luton), first revealed in May 2020, which saw nine million passengers’ data exposed including names, email addresses, and travel information.