British Airways has settled a legal claim over a major data breach that affected 420,000 customers and staff.

The breach in 2018 included the leaking of names, addresses and card payment details and led to the Information Commissioner’s Office (ICO) handing out its largest ever fine at £20 million.

Law firm Pogust, Goodhead, Mousinho, Bianchini and Martins (PGMBM) said the settlement was reached following mediation with BA and the terms are confidential.

Previously, lawyers said the lawsuit was the largest group action over a data breach in British legal history, with 16,000 claimants when filed in April last year.

The deal struck will see claimants paid out and the airline said it has directly apologised to those involved.

Harris Pogust, chairman of PGMBM, said: “We are very pleased to have come to a resolution on this matter after constructive mediation with British Airways. This represents an extremely positive and timely solution for those affected by the data incident.

“The Information Commissioner’s Office laid out how BA did not take adequate measures to keep its passengers’ personal and financial information secure. However, this did not provide redress to those affected. This settlement now addresses that.”

A BA spokesperson said: “We apologised to customers who may have been affected by this issue and are pleased we’ve been able to settle the group action.

“When the issue arose we acted promptly to protect and inform our customers.”

The ICO initially threatened to fine BA £183 million for the breach under GDPR rules, but this was reduced to £20 million due to the airline pointing out it was in financial difficulty due to the Covid-19 pandemic.

PGMBM is also representing a growing number of claimants in a case relating to a similar data breach of EasyJet data revealed in May 2020, which saw nine million passengers’ data exposed, including names, email addresses and travel information.

Mr Pogust added: “The pace at which we have been able to resolve this process with British Airways has been particularly encouraging and demonstrates how seriously the legal system is taking mass data incidents.

“This is a very positive sign as we look ahead to what will be an even bigger case against EasyJet relating to their 2020 data breach, as well as other similar international actions.”