BA

British Airways admits massive data breach including theft of credit card numbers, expiry dates, CVV codes, email addresses and home addresses

Links on Head for Points pay us an affiliate commission. A list of our partners is here.

Friday 1pm update:  Various reports in our comments and elsewhere suggest that – despite BA statements – people who have booked via telephone and with BA Holidays are receiving emails saying their details are compromised.  There are also other people like myself who made redemption bookings who have not received any email.  It is probably best to assume that any transaction you’ve made which led to a BA credit card charge is likely to be at risk

Friday 12.30pm update:  IAG’s share price is down 3.6% so far today as investors worry about compensation payments and the impact on future bookings.  The overall market is only down 1.0%.

Friday 11.30am update:  It is worth noting that ba.com now says “The personal and financial details of customers making or changing bookings on ba.com and the airline’s mobile app were compromised.”  This means that you might be affected even if you did not purchase a ticket during this period.

The official ba.com page with more information is here.

Friday 10am update:  I get two paragraphs in the Daily Telegraph today, both website and newspaper – see here.  The Alex Cruz interview on Radio 4 this morning confirms that the following data has been stolen:

  • email address
  • postal address
  • credit card number
  • expiration data
  • CVV

Your frequent flyer and passport data has not been impacted as that is not transmitted during the payment process.

On the upside, there is no sign of the vest yet:

I just realised that I have not received the BA email, even though I made a redemption booking on 3rd September.  Whilst this was an Avios booking, I paid taxes on a credit card and the payment process is the same as for a cash booking.

Friday 9.30am update:  BA appears to be in breach of ICO guidelines in its email to affected customers.  To quote from the ICO website:

“You need to describe, in clear and plain language, the nature of the personal data breach and, at least:

  • the name and contact details of your data protection officer (if your organisation has one) or other contact point where more information can be obtained;
  • a description of the likely consequences of the personal data breach; and
  • a description of the measures taken, or proposed to be taken, to deal with the personal data breach and including, where appropriate, of the measures taken to mitigate any possible adverse effects.”

Friday 9am update:  This breach is ONLY related to transactions made online at ba.com, not avios.com or BA Holidays it seems. This implies that BA may not have been encrypting payment details when they were sent to their payment processor and someone was picking them up on the way. You are at NO risk if you have a credit card stored at ba.com but did not make a purchase during this 2-week period.

Friday 8am update: It now appears that 380,000 transactions have been compromised.  You should have received an email overnight if you are included. There are no reports so far of card fraud linked to the breach and credit card companies are NOT replacing cards automatically. If you are nervous, you can report your Amex card as ‘lost’ via the website and it will be replaced.

 

The following press release just turned up from British Airways five minutes ago, for your information:

BRITISH AIRWAYS: THEFT OF CUSTOMER DATA

September 06, 2018

“British Airways is investigating, as a matter of urgency, the theft of customer data from its website, ba.com and the airline’s mobile app. The stolen data did not include travel or passport details.

From 22:58 BST August 21 2018 until 21:45 BST September 5 2018 inclusive, the personal and financial details of customers making bookings on ba.com and the airline’s app were compromised.

The breach has been resolved and our website is working normally.

British Airways is communicating with affected customers and we advise any customers who believe they may have been affected by this incident to contact their banks or credit card providers and follow their recommended advice.

We have notified the police and relevant authorities.

Alex Cruz, British Airways’ Chairman and Chief Executive said “We are deeply sorry for the disruption that this criminal activity has caused. We take the protection of our customers’ data very seriously.”

British Airways will provide further updates when appropriate.”

Coming just a week after the high profile launch of the September sale – bookings for which have been caught up in this – the timing could not be worse.

I feel a bit sorry for British Airways at the moment.  They have spent the last year reversing the cut-backs of 2016 (the changes to Club Europe catering on the 12th are almost the final piece of the jigsaw) but there is no sign of public perception improving.  Good news, of course, makes for less interesting press coverage than bad news, which is why coming back from bad publicity is always hard.

Following on from the IT outage from last year, this theft is likely to raise more questions about the decision to move much of BA’s IT infrastructure to India.  Whatever money it saved will be peanuts compared to the costs of dealing with this breach.

And, given that I made a couple of redemptions last week, it looks like I’m going to need a new British Airways American Express card ….

The official BA web page discussing the leak and what you should do is here.

(Want to earn more Avios?  Click here to visit our home page for the latest articles on earning and spending your Avios points and click here to see how to earn more Avios from current offers and promotions.)

Your cut-out-and-keep guide to the new Marriott Rewards free breakfast benefit
What are the best credit card sign-up deals for September? - plus a news round-up
Click here to join the 13,000 people on our email list and receive the latest Avios, miles and points news by 6am.

IHG
Amazon ad
BA
About Head for Points

We help business and leisure travellers maximise their Avios, frequent flyer miles and hotel loyalty points. Visit every day for three new articles or sign up for our FREE emails via this page or the box to your right.

Comments

  1. EvilGazebo says:

    Total guesswork on my part but it sounds like an attack on a silent order post mechanism. To avoid the risk associated with processing card data on their own servers (ironically!), a merchant will utilise a payment processor solution where the payment page served up to your browser is from the merchant web server but when you submit the form the data is posted directly to the payment processor, never via the merchant. Problem arises if the website is breached and the page form altered to send a copy of that data to a host controlled by the attacker as well as to the processor.

    Fits the profile of this breach, especially the fact that CVV was taken. And little bit of googling suggests BA use a payment processor that does offer such a silent order post capability……..a better solution is for the payment page to be served up by the payment processor directly. But merchant e-commerce teams usually hate that because it reduces the control they have over the checkout journey look & feel etc.

    • If that’s the case (and I suspect you’re right) it’s about time they invested in a Web Application Firewall to monitor and protect the embedded form on their website.

      • Nigel the Pensioner says:

        …agree. Or about time they invested in a web site that worked!! There are far too many ways to navigate to a booking page and then you end up having to re-log in several times, Then, after getting a departure set up from AMS, you get to the final page and get the usual BA “error server” message!! VERY frustrating. It makes the “we take your security and safety” message a load of rubbish – now proven beyond all doubt.
        Luckily my last booking was charged 2 days before this nonsense.

    • “a better solution is for the payment page to be served up by the payment processor directly.”

      Software engineer here.

      No, it’s not a better solution, unless you’re talking payment pages that take you completely away from the originating site. Embedded forms would suffer from the same problem, parent page can alter elements within an embedded frame.

      Silent order post is pretty secure, if done right. We don’t know the details of the breach — might be that one of their developers put the malicius code there on purpose, in which case nothing would have stopped it from happening.

      • EvilGazebo says:

        “unless you’re talking payment pages that take you completely away from the originating site.”

        That is exactly what I’m talking about. Redirect to processor hosted payment page only requires a relatively straightforward PCI SAQ-A attestation whereas silent order post requires the more onerous SAQ-EP because of its higher risk. As do IFrame solutions (which are the worst of both worlds: crappy user experience and higher security risk).

        “might be that one of their developers put the malicius code there on purpose, in which case nothing would have stopped it from happening.”

        Not true. Redirect to a hosted payment page would have practically stopped it. Malicious dev would have no page to insert code into. Yes they could change the redirect URL to one under their control. But the key difference is that the genuine payment will not go through, unlike a silent post compromise. So the merchant is immediately alerted by the flood of failed checkouts and customers claiming they did complete. Whereas a silent post compromise can be undetected indefinitely if no one notices the dodgy code – it’s not like there is even data exfiltration that can be spotted in the merchant network as It is all coming from individual customer browsers.

        In one sense BA have been fortunate in that someone identified the rogue code when they did. Often this only happens *much* later once the attackers have had their fill of data and start to cash out using the details. At that point the pattern of usage will give the source away as per Monzo identifying the Ticketmaster breach.

  2. Just received this e-mail from BA AMEX confirming do nothing…………

    Dear Cardmember,
    I’m writing to you about the reported British Airways data breach involving personal and financial details of customers being compromised through their web and mobile app.

    We want to assure you we have industry-leading fraud protection technology that is continually monitoring for any suspicious activity in order to safeguard you. Also, our Cardmembers are never liable for any fraudulent charges on their Accounts. If you have used your American Express Card to book with British Airways, we are monitoring your Account for you.

    There is no action you need to take – we will contact you immediately if there’s any unusual activity with your Account. In the meantime you can continue to use your Card as normal.

    If we see any unusual activity which could be fraud, we will contact you immediately. For added protection, you can also sign up for free fraud and other Account activity notifications via email, SMS text messaging, or alerts through our app.
    Thank you for your continued Cardmembership.

    Yours sincerely,

    Charlotte Duerden
    Country Manager, American Express UK

    • Not had that email myself but have seen similar mentioned in Amex’s Twitter feed. But I’m sorry, I don’t want a fraudster even getting close to using my card details to commit a crime, regardless of how generous Amex will be ensuring I’m not out of pocket, so I’ve gone onto the Amex website and reported my card as “lost”. Slightly surprised and disappointed with their laissez faire attitude, when I’m also reading that other card issuers are proactively issuing replacement cards to those affected without them needing to be asked.

      • Totally agree.
        Unless you get a new card the risk is that 6 months down the road you’ll get a fraudulent charge on the Amex account. If their “industry-leading” fraud detection picks it up you’ll need a new card. Otherwise the onus is on you to spot it and inform Amex. You’ll then need a new card.
        Might as well get a new card today.

        • Nigel the Pensioner says:

          Quite right. These lot don’t use the details right away, they let the dust settle. You will likely find an Uber charge from Europe (notably Amsterdam) or an O2 mobile top up charge, appearing several months down the line, but at least a month before the card expiry. A new card is usually issued a month in advance of the old one expiring. I would be extra vigilant in December with Xmas coming up. This will be a challenge to AmEx’s highly sophisticated software judging by some of the things advertised around that time!!! Ho Ho Ho.

      • They know where you live, so they can just hang around outside and intercept the postman as he delivers it 🙂

        • You joke, but that has happened to me – about 10 years ago a fraudster somehow managed to order a replacement Amex for my account, intercepted it and subsequently changed the address on my account. I only noticed a problem when my monthly bill didn’t arrive and I called to find out why!

          So, this is the third fraud my card has been caught up in over the past year. First it was Curry’s then TicketMaster and now BA. the Curry’s data breach resulted in two fraudulent transactions for approx £500 each being authorised on my account. I spotted and reported them both within minutes as they popped up on the app on my phone. That time I had a new card issued, but that’s also a pain as I have the card registered in so many places.

          I won’t wait with baited breath to see what little compensation BA offer if my experience of fighting with them over travel disruption compensation is anything to go by.

      • See, I can’t see Amex’s attitude on this as ‘laissez faire’ at all. They have been pro-active with their comms, and I trust that they know what they’re doing as why would they risk having to refund people at their own expense if they thought there was a massive chance their fraud detection software wasn’t all over this.

        • luckyjim says:

          If you don’t spot the fraudulent transactions it you are the one out of pocket.

          If you do spot it Amex will attempt to claw back the money and/or if that fails they will simply charge BA as they have accepted liability.

          Put it another way. What do you as an individual lose by requesting a new card?

        • “as why would they risk having to refund people at their own expense”

          Fraudulent transactions aren’t their expense. It’s the merchants expense.

      • Tim Dunton says:

        I prefer the stance that Amex is taking. I’m abroad at the moment and I don’t my card cancelled and the hassle that entails.

    • Just got this email too, which is fine, but for the fact I haven’t made a BA booking for some time….

    • Had this email, I’ve had Amex fraud years ago, all refunded in 24 hours. I’ve never had my card refused, but have had the odd text messages to confirm transactions, which look unusual or are outside my usual pattern, their systems are good

      I think Amex are being proactive, better than most financial institutions. Not aware any other bank has sent anything.

      I’m not an Apple fan, but Apple Pay with Amex is the best thing invented, get a notification within a second every time your card is used.

      • You don’t need Apple for this, you can get it via the Amex app.

        • I have used that, I load Apple Pay, just in case I want to make a contactless payment on my Centurion, which isn’t chip and pin

      • Nigel the Pensioner says:

        You get a phone notification from AmEx within seconds of a transaction on every one of their cards (Centurion and AmEx black) if you sign up for it. You certainly don’t need anything to do with apple or i !!!

  3. Received an email an hour a go saying my details may have been compromised. Made a booking on monday.

    • I made an OB points redemption booking on Monday, the taxes/fees/charges payment paid by c/card, and I’ve had no emails from BA yet…

  4. luckyjim says:

    It is simply not true that Amex have ‘industry-leading fraud protection technology’. Or if it is true, the industry is in bad shape.. I’ve spent many thousands on overseas gambling sites and never had those transactions challenged. I have, however, had ‘pay at pump’ for petrol refused because Amex deemed it suspicious. I’ve also missed out on concert tickets because Amex rejected the payment to ‘protect’ me.

    Amex clearly don’t want to have to replace 300,000 cards but they don’t stand to lose any money here. Any fraud that is detected will be charged to BA.

  5. InfrequentFlyer says:

    I made a booking with my Tesco credit card a few days ago. I called them earlier and all seems fine. I received the following text message at 13:42 (GMT) today, as FYI:

    “We are getting in touch as we have identified that you made a transaction with British Airways that could have been impacted by their customer data compromise. We are taking steps to protect your Tesco Bank account from potential fraud by sending you a new card. Your new card will arrive within 10 days. If you have already spoken with us about this, please follow the instructions you received at the time. If you have not yet contacted us, you can continue to use your existing card as normal and manage your account online. But please note that you will not be able to manage your account using your mobile banking app for 36hrs. If something on your account doesn’t look right please get in touch with your Tesco Bank team.”

    • Tesco love the word fraud. Wish I had a pound for every time I was accused of it when buying 3Vs

  6. Dan Evans says:

    We made a change to a booking via TELEPHONE and have been advised by BA that our data may have been stolen. Seems like it’s not just the website and app.

  7. During this period I’ve had a refund from BA and made a telephone booking with avios.com. I’ve had an email saying I may have been affected but would my address and/or CVV number have been revealed in either of those transactions? There’s not been any suspicious activity on my card, but I’m planning to close it and churn soon anyway!

  8. Monzo just tweeted that they have proactively sent 1300 new cards for people who might be impacted. Another course of action….hmmm…

  9. Surely most HfP readers would have closed and churned the card used by now anyway!

  10. How confident are you Rob that your own third party content providers are secure?

    I know you don’t take card details but the premise – that any part of the page content not directly under your control can lead to data being lost – is valid.

    Card processors, adverts, analytics – anything somewhere else.

  11. Got up to an email from BA this morning about my account being compromised and get home this evening to a letter from another company stating that my account had been compromised. LOL.

  12. Couple of fraudulent spends, and you get that Amex welcome bonus that little bit quicker!
    Every cloud………

  13. I had my new Virgin CC on the BA site as I’m hitting those targets. Received this earlier

    Your new card

    Dear Graham

    We’re getting in touch to let you know that we are sending you a new Virgin Atlantic Credit Card.

    You may be aware that British Airways recently reported a data breach. We have identified that you may have used this site and therefore you could have been affected.

    Sending you a new card ahead of your normal card expiry date is an added precaution to protect your account from any potential fraudulent activity. Rest assured your account remains safe and you are not liable for any fraudulent transactions, just let us know if you see anything unusual on your statements.

    If you would like more information from British Airways, you can find it here.

    What do I need to do next?

    Your new Virgin Atlantic Credit Card will arrive in the next 7-10 days, you should:
    Activate your new card in Online Service straightaway.
    Sign your new card as soon as you receive it.
    Destroy your old card.
    As your new card will have a different number, make sure you change any card payments you have set up (e.g. online subscriptions) to the new card number.
    Your existing Credit Card will stop working in 14 days’ time or once you have activated your new one, so please switch over to the new one as soon as you receive it. Your PIN will remain the same.

    If you have already contacted us about this then please be assured your new card will be with you within 7-10 days and you can follow the steps above to start using your new card.

    Yours sincerely

    The Virgin Atlantic Credit Card Team

Please click here to read our data protection policy before submitting your comment.