Maximise your Avios, air miles and hotel points

British Airways admits massive data breach including theft of credit card numbers

Links on Head for Points may support the site by paying a commission.  See here for all partner links.

Friday 1pm update:  Various reports in our comments and elsewhere suggest that – despite BA statements – people who have booked via telephone and with BA Holidays are receiving emails saying their details are compromised.  There are also other people like myself who made redemption bookings who have not received any email.  It is probably best to assume that any transaction you’ve made which led to a BA credit card charge is likely to be at risk

Friday 12.30pm update:  IAG’s share price is down 3.6% so far today as investors worry about compensation payments and the impact on future bookings.  The overall market is only down 1.0%.

Friday 11.30am update:  It is worth noting that ba.com now says “The personal and financial details of customers making or changing bookings on ba.com and the airline’s mobile app were compromised.”  This means that you might be affected even if you did not purchase a ticket during this period.

The official ba.com page with more information is here.

Friday 10am update:  I get two paragraphs in the Daily Telegraph today, both website and newspaper – see here.  The Alex Cruz interview on Radio 4 this morning confirms that the following data has been stolen:

  • email address
  • postal address
  • credit card number
  • expiration data
  • CVV

Your frequent flyer and passport data has not been impacted as that is not transmitted during the payment process.

On the upside, there is no sign of the vest yet:

I just realised that I have not received the BA email, even though I made a redemption booking on 3rd September.  Whilst this was an Avios booking, I paid taxes on a credit card and the payment process is the same as for a cash booking.

Friday 9.30am update:  BA appears to be in breach of ICO guidelines in its email to affected customers.  To quote from the ICO website:

“You need to describe, in clear and plain language, the nature of the personal data breach and, at least:

  • the name and contact details of your data protection officer (if your organisation has one) or other contact point where more information can be obtained;
  • a description of the likely consequences of the personal data breach; and
  • a description of the measures taken, or proposed to be taken, to deal with the personal data breach and including, where appropriate, of the measures taken to mitigate any possible adverse effects.”

Friday 9am update:  This breach is ONLY related to transactions made online at ba.com, not avios.com or BA Holidays it seems. This implies that BA may not have been encrypting payment details when they were sent to their payment processor and someone was picking them up on the way. You are at NO risk if you have a credit card stored at ba.com but did not make a purchase during this 2-week period.

Friday 8am update: It now appears that 380,000 transactions have been compromised.  You should have received an email overnight if you are included. There are no reports so far of card fraud linked to the breach and credit card companies are NOT replacing cards automatically. If you are nervous, you can report your Amex card as ‘lost’ via the website and it will be replaced.

The following press release just turned up from British Airways five minutes ago, for your information:

BRITISH AIRWAYS: THEFT OF CUSTOMER DATA

September 06, 2018

“British Airways is investigating, as a matter of urgency, the theft of customer data from its website, ba.com and the airline’s mobile app. The stolen data did not include travel or passport details.

From 22:58 BST August 21 2018 until 21:45 BST September 5 2018 inclusive, the personal and financial details of customers making bookings on ba.com and the airline’s app were compromised.

The breach has been resolved and our website is working normally.

British Airways is communicating with affected customers and we advise any customers who believe they may have been affected by this incident to contact their banks or credit card providers and follow their recommended advice.

We have notified the police and relevant authorities.

Alex Cruz, British Airways’ Chairman and Chief Executive said “We are deeply sorry for the disruption that this criminal activity has caused. We take the protection of our customers’ data very seriously.”

British Airways will provide further updates when appropriate.”

Coming just a week after the high profile launch of the September sale – bookings for which have been caught up in this – the timing could not be worse.

I feel a bit sorry for British Airways at the moment.  They have spent the last year reversing the cut-backs of 2016 (the changes to Club Europe catering on the 12th are almost the final piece of the jigsaw) but there is no sign of public perception improving.  Good news, of course, makes for less interesting press coverage than bad news, which is why coming back from bad publicity is always hard.

Following on from the IT outage from last year, this theft is likely to raise more questions about the decision to move much of BA’s IT infrastructure to India.  Whatever money it saved will be peanuts compared to the costs of dealing with this breach.

And, given that I made a couple of redemptions last week, it looks like I’m going to need a new British Airways American Express card ….

The official BA web page discussing the leak and what you should do is here.

How to earn Avios from UK credit cards

How to earn Avios from UK credit cards (April 2024)

As a reminder, there are various ways of earning Avios points from UK credit cards.  Many cards also have generous sign-up bonuses!

In February 2022, Barclaycard launched two exciting new Barclaycard Avios Mastercard cards with a bonus of up to 25,000 Avios. You can apply here.

You qualify for the bonus on these cards even if you have a British Airways American Express card:

Barclaycard Avios Plus card

Barclaycard Avios Plus Mastercard

Get 25,000 Avios for signing up and an upgrade voucher at £10,000 Read our full review

Barclaycard Avios card

Barclaycard Avios Mastercard

5,000 Avios for signing up and an upgrade voucher at £20,000 Read our full review

There are two official British Airways American Express cards with attractive sign-up bonuses:

British Airways American Express Premium Plus

25,000 Avios and the famous annual 2-4-1 voucher Read our full review

British Airways American Express

5,000 Avios for signing up and an Economy 2-4-1 voucher for spending £15,000 Read our full review

You can also get generous sign-up bonuses by applying for American Express cards which earn Membership Rewards points. These points convert at 1:1 into Avios.

American Express Preferred Rewards Gold

Your best beginner’s card – 20,000 points, FREE for a year & four airport lounge passes Read our full review

The Platinum Card from American Express

40,000 bonus points and a huge range of valuable benefits – for a fee Read our full review

Run your own business?

We recommend Capital on Tap for limited companies. You earn 1 Avios per £1 which is impressive for a Visa card, along with a sign-up bonus worth 10,500 Avios.

SPECIAL OFFER: Until 12th May 2024, the Capital on Tap Business Rewards Visa card is offering a bonus of 30,000 points, convertible into 30,000 Avios. You must have a Limited Company to apply. Click here to learn more and click here to apply.

Capital on Tap Business Rewards Visa

Huge 30,000 points bonus until 12th May 2024 Read our full review

You should also consider the British Airways Accelerating Business credit card. This is open to sole traders as well as limited companies and has a 30,000 Avios sign-up bonus.

British Airways Accelerating Business American Express

30,000 Avios sign-up bonus – plus annual bonuses of up to 30,000 Avios Read our full review

There are also generous bonuses on the two American Express Business cards, with the points converting at 1:1 into Avios. These cards are open to sole traders as well as limited companies.

American Express Business Platinum

40,000 points sign-up bonus and an annual £200 Amex Travel credit Read our full review

American Express Business Gold

20,000 points sign-up bonus and FREE for a year Read our full review

Click here to read our detailed summary of all UK credit cards which earn Avios. This includes both personal and small business cards.

Category

British Airways and Avios

Comments (266)

This article is closed to new comments. Feel free to ask your question in the HfP forums.

  • EvilGazebo says:
    7 Sep7 September 15:40

    Total guesswork on my part but it sounds like an attack on a silent order post mechanism. To avoid the risk associated with processing card data on their own servers (ironically!), a merchant will utilise a payment processor solution where the payment page served up to your browser is from the merchant web server but when you submit the form the data is posted directly to the payment processor, never via the merchant. Problem arises if the website is breached and the page form altered to send a copy of that data to a host controlled by the attacker as well as to the processor.

    Fits the profile of this breach, especially the fact that CVV was taken. And little bit of googling suggests BA use a payment processor that does offer such a silent order post capability……..a better solution is for the payment page to be served up by the payment processor directly. But merchant e-commerce teams usually hate that because it reduces the control they have over the checkout journey look & feel etc.

    • Simon says:
      7 Sep7 September 18:45

      If that’s the case (and I suspect you’re right) it’s about time they invested in a Web Application Firewall to monitor and protect the embedded form on their website.

      • Nigel the Pensioner says:
        8 Sep8 September 07:24

        …agree. Or about time they invested in a web site that worked!! There are far too many ways to navigate to a booking page and then you end up having to re-log in several times, Then, after getting a departure set up from AMS, you get to the final page and get the usual BA “error server” message!! VERY frustrating. It makes the “we take your security and safety” message a load of rubbish – now proven beyond all doubt.
        Luckily my last booking was charged 2 days before this nonsense.

    • S says:
      7 Sep7 September 22:19

      “a better solution is for the payment page to be served up by the payment processor directly.”

      Software engineer here.

      No, it’s not a better solution, unless you’re talking payment pages that take you completely away from the originating site. Embedded forms would suffer from the same problem, parent page can alter elements within an embedded frame.

      Silent order post is pretty secure, if done right. We don’t know the details of the breach — might be that one of their developers put the malicius code there on purpose, in which case nothing would have stopped it from happening.

      • EvilGazebo says:
        8 Sep8 September 14:15

        “unless you’re talking payment pages that take you completely away from the originating site.”

        That is exactly what I’m talking about. Redirect to processor hosted payment page only requires a relatively straightforward PCI SAQ-A attestation whereas silent order post requires the more onerous SAQ-EP because of its higher risk. As do IFrame solutions (which are the worst of both worlds: crappy user experience and higher security risk).

        “might be that one of their developers put the malicius code there on purpose, in which case nothing would have stopped it from happening.”

        Not true. Redirect to a hosted payment page would have practically stopped it. Malicious dev would have no page to insert code into. Yes they could change the redirect URL to one under their control. But the key difference is that the genuine payment will not go through, unlike a silent post compromise. So the merchant is immediately alerted by the flood of failed checkouts and customers claiming they did complete. Whereas a silent post compromise can be undetected indefinitely if no one notices the dodgy code – it’s not like there is even data exfiltration that can be spotted in the merchant network as It is all coming from individual customer browsers.

        In one sense BA have been fortunate in that someone identified the rogue code when they did. Often this only happens *much* later once the attackers have had their fill of data and start to cash out using the details. At that point the pattern of usage will give the source away as per Monzo identifying the Ticketmaster breach.

  • TOMM says:
    7 Sep7 September 16:09

    Just received this e-mail from BA AMEX confirming do nothing…………

    Dear Cardmember,
    I’m writing to you about the reported British Airways data breach involving personal and financial details of customers being compromised through their web and mobile app.

    We want to assure you we have industry-leading fraud protection technology that is continually monitoring for any suspicious activity in order to safeguard you. Also, our Cardmembers are never liable for any fraudulent charges on their Accounts. If you have used your American Express Card to book with British Airways, we are monitoring your Account for you.

    There is no action you need to take – we will contact you immediately if there’s any unusual activity with your Account. In the meantime you can continue to use your Card as normal.

    If we see any unusual activity which could be fraud, we will contact you immediately. For added protection, you can also sign up for free fraud and other Account activity notifications via email, SMS text messaging, or alerts through our app.
    Thank you for your continued Cardmembership.

    Yours sincerely,

    Charlotte Duerden
    Country Manager, American Express UK

    • Tim says:
      7 Sep7 September 16:29

      Not had that email myself but have seen similar mentioned in Amex’s Twitter feed. But I’m sorry, I don’t want a fraudster even getting close to using my card details to commit a crime, regardless of how generous Amex will be ensuring I’m not out of pocket, so I’ve gone onto the Amex website and reported my card as “lost”. Slightly surprised and disappointed with their laissez faire attitude, when I’m also reading that other card issuers are proactively issuing replacement cards to those affected without them needing to be asked.

      • John H says:
        7 Sep7 September 16:37

        Totally agree.
        Unless you get a new card the risk is that 6 months down the road you’ll get a fraudulent charge on the Amex account. If their “industry-leading” fraud detection picks it up you’ll need a new card. Otherwise the onus is on you to spot it and inform Amex. You’ll then need a new card.
        Might as well get a new card today.

        • Nigel the Pensioner says:
          8 Sep8 September 07:31

          Quite right. These lot don’t use the details right away, they let the dust settle. You will likely find an Uber charge from Europe (notably Amsterdam) or an O2 mobile top up charge, appearing several months down the line, but at least a month before the card expiry. A new card is usually issued a month in advance of the old one expiring. I would be extra vigilant in December with Xmas coming up. This will be a challenge to AmEx’s highly sophisticated software judging by some of the things advertised around that time!!! Ho Ho Ho.

      • Rob says:
        7 Sep7 September 17:03

        They know where you live, so they can just hang around outside and intercept the postman as he delivers it 🙂

        • Simon. says:
          7 Sep7 September 18:43

          You joke, but that has happened to me – about 10 years ago a fraudster somehow managed to order a replacement Amex for my account, intercepted it and subsequently changed the address on my account. I only noticed a problem when my monthly bill didn’t arrive and I called to find out why!

          So, this is the third fraud my card has been caught up in over the past year. First it was Curry’s then TicketMaster and now BA. the Curry’s data breach resulted in two fraudulent transactions for approx £500 each being authorised on my account. I spotted and reported them both within minutes as they popped up on the app on my phone. That time I had a new card issued, but that’s also a pain as I have the card registered in so many places.

          I won’t wait with baited breath to see what little compensation BA offer if my experience of fighting with them over travel disruption compensation is anything to go by.

      • Kieran says:
        7 Sep7 September 17:10

        See, I can’t see Amex’s attitude on this as ‘laissez faire’ at all. They have been pro-active with their comms, and I trust that they know what they’re doing as why would they risk having to refund people at their own expense if they thought there was a massive chance their fraud detection software wasn’t all over this.

        • luckyjim says:
          7 Sep7 September 17:19

          If you don’t spot the fraudulent transactions it you are the one out of pocket.

          If you do spot it Amex will attempt to claw back the money and/or if that fails they will simply charge BA as they have accepted liability.

          Put it another way. What do you as an individual lose by requesting a new card?

        • S says:
          7 Sep7 September 18:34

          “as why would they risk having to refund people at their own expense”

          Fraudulent transactions aren’t their expense. It’s the merchants expense.

      • Tim Dunton says:
        7 Sep7 September 18:32

        I prefer the stance that Amex is taking. I’m abroad at the moment and I don’t my card cancelled and the hassle that entails.

    • Kathryn says:
      7 Sep7 September 19:02

      Just got this email too, which is fine, but for the fact I haven’t made a BA booking for some time….

    • David says:
      7 Sep7 September 21:08

      Had this email, I’ve had Amex fraud years ago, all refunded in 24 hours. I’ve never had my card refused, but have had the odd text messages to confirm transactions, which look unusual or are outside my usual pattern, their systems are good

      I think Amex are being proactive, better than most financial institutions. Not aware any other bank has sent anything.

      I’m not an Apple fan, but Apple Pay with Amex is the best thing invented, get a notification within a second every time your card is used.

      • Crafty says:
        7 Sep7 September 22:20

        You don’t need Apple for this, you can get it via the Amex app.

        • David says:
          8 Sep8 September 03:46

          I have used that, I load Apple Pay, just in case I want to make a contactless payment on my Centurion, which isn’t chip and pin

      • Nigel the Pensioner says:
        8 Sep8 September 07:37

        You get a phone notification from AmEx within seconds of a transaction on every one of their cards (Centurion and AmEx black) if you sign up for it. You certainly don’t need anything to do with apple or i !!!

  • Simon J says:
    7 Sep7 September 16:40

    Received an email an hour a go saying my details may have been compromised. Made a booking on monday.

    • shd says:
      7 Sep7 September 17:48

      I made an OB points redemption booking on Monday, the taxes/fees/charges payment paid by c/card, and I’ve had no emails from BA yet…

  • luckyjim says:
    7 Sep7 September 16:46

    It is simply not true that Amex have ‘industry-leading fraud protection technology’. Or if it is true, the industry is in bad shape.. I’ve spent many thousands on overseas gambling sites and never had those transactions challenged. I have, however, had ‘pay at pump’ for petrol refused because Amex deemed it suspicious. I’ve also missed out on concert tickets because Amex rejected the payment to ‘protect’ me.

    Amex clearly don’t want to have to replace 300,000 cards but they don’t stand to lose any money here. Any fraud that is detected will be charged to BA.

  • InfrequentFlyer says:
    7 Sep7 September 17:05

    I made a booking with my Tesco credit card a few days ago. I called them earlier and all seems fine. I received the following text message at 13:42 (GMT) today, as FYI:

    “We are getting in touch as we have identified that you made a transaction with British Airways that could have been impacted by their customer data compromise. We are taking steps to protect your Tesco Bank account from potential fraud by sending you a new card. Your new card will arrive within 10 days. If you have already spoken with us about this, please follow the instructions you received at the time. If you have not yet contacted us, you can continue to use your existing card as normal and manage your account online. But please note that you will not be able to manage your account using your mobile banking app for 36hrs. If something on your account doesn’t look right please get in touch with your Tesco Bank team.”

    • xcalx says:
      7 Sep7 September 17:33

      Tesco love the word fraud. Wish I had a pound for every time I was accused of it when buying 3Vs

  • Dan Evans says:
    7 Sep7 September 17:09

    We made a change to a booking via TELEPHONE and have been advised by BA that our data may have been stolen. Seems like it’s not just the website and app.

    • Craig says:
      7 Sep7 September 17:14

      All I can think is that the telephone agents use the same credit card processing website.

      • Daniel Evans says:
        7 Sep7 September 17:50

        That is a good point but BA not being very clear to customers about this.

  • Anna says:
    7 Sep7 September 17:20

    During this period I’ve had a refund from BA and made a telephone booking with avios.com. I’ve had an email saying I may have been affected but would my address and/or CVV number have been revealed in either of those transactions? There’s not been any suspicious activity on my card, but I’m planning to close it and churn soon anyway!

  • Sundar says:
    7 Sep7 September 17:26

    Monzo just tweeted that they have proactively sent 1300 new cards for people who might be impacted. Another course of action….hmmm…

This article is closed to new comments. Feel free to ask your question in the HfP forums.

New to Head for Points?

Welcome!  We’re the UK’s most-read source of business travel, Avios, frequent flyer and hotel loyalty news. Let us improve how you travel. Got any questions? Ask them in our forums.

Latest Forum Posts

Get 40,000 bonus points (worth 40,000 Avios) and £300 dining credit with The Platinum Card

Check reward flight availability instantly for free!

See a whole year of reward seat availability on one page at SeatSpy.com

Get £10 when you spend £150 on your free Currensea card

Booking a luxury hotel?

Our luxury hotel booking service offers you GUARANTEED extra benefits over booking direct. Works with Four Seasons, Mandarin Oriental, The Ritz Carlton, St Regis and more. We've booked £1.7 million of rooms to date. Click for details.

SME? SPECIAL OFFER TO 12TH MAY EARN POINTS WORTH 30,000 AVIOS WITH CAPITAL ON TAP

Get 20,000 bonus points, four airport lounge passes and your first year free with American Express Gold

The UK's biggest frequent flyer website uses cookies, which you can block via your browser settings. Continuing implies your consent to this policy. Our privacy policy is here.

Got it!