British Airways (BA) has settled one of the U.K.’s largest group actions after thousands of people sought compensation following a data breach that resulted in the airline being hit with a record privacy violation fine.

The 2018 breach affected 420,000 customers and staff and included the leaking of names, addresses, and payment card details. It led to the U.K. Information Commissioner’s Office (ICO) handing down a £20 million (then-U.S. $26 million) penalty under the EU’s General Data Protection Regulation (GDPR)—its largest fine to date.

Law firm PGMBM said the settlement was reached following mediation with BA and the terms are confidential. The settlement does not include any admission of liability by BA.

Previously, lawyers said the lawsuit was the largest group action over a data breach in British legal history, with 16,000 claimants when filed in April last year. Reports also suggested claimants were hoping to receive up to £2,000 each. However, sources have indicated the actual payouts are probably less than half that amount.

“This case is a clear reminder to companies of their potential liability for individual compensation claims in parallel to fines and enforcement action from the supervisory authorities.”

Sacha Wilson, Technology Partner, Harbottle & Lewis

Nevertheless, the group settlement may be just under—or equal to—the fine the ICO issued.

Harris Pogust, chairman of PGMBM, said, “We are very pleased to have come to a resolution on this matter after constructive mediation with BA. This represents an extremely positive and timely solution for those affected by the data incident.

“The ICO laid out how BA did not take adequate measures to keep its passengers’ personal and financial information secure. However, this did not provide redress to those affected. This settlement now addresses that.”

A BA spokesperson said, “We apologized to customers who may have been affected by this issue and are pleased we’ve been able to settle the group action.”

The ICO initially threatened to fine BA approximately £183 million (then-U.S. $230 million) for the breach under the GDPR. The penalty was reduced following an appeal process that considered financial difficulties brought upon the company by the COVID-19 pandemic.

PGMBM is representing a growing number of claimants in a case relating to a similar breach at budget airline EasyJet from May 2020. The incident saw nine million passengers’ data exposed, including names, email addresses, and travel information.

“The pace at which we have been able to resolve this process with BA has been particularly encouraging and demonstrates how seriously the legal system is taking mass data incidents,” said Pogust. “This is a very positive sign.”

Group litigation claims are historically rare in the United Kingdom but are becoming more prevalent, according to Mark Blunden, head of technology at law firm Boyes Turner. “This decision will inevitably raise awareness of the opportunity to bring a claim or join a group action,” he said, adding “high-profile cases like this will give rise to a surge in speculative data breach claims.”

Carl Atkinson, employment partner at law firm gunnercooke, warned, “The loss of personal financial data will almost always be considered ‘stressful’ and worthy of compensation by the courts. Businesses should appreciate the risk which arises from a data breach and develop effective strategies to manage and mitigate their exposure.”

Sacha Wilson, technology partner at law firm Harbottle & Lewis, said the GDPR has given rise to a whole new industry in the United Kingdom of law firms looking to collect claimants to launch similar group data breach claims on a “no-win, no-fee” basis.

“The fact that such a large settlement sum was paid out will no doubt be a significant incentive to these types of firms looking to profit from these types of claims,” he said. “This case is a clear reminder to companies of their potential liability for individual compensation claims in parallel to fines and enforcement action from the supervisory authorities.”