Maximise your Avios, air miles and hotel points

What more do we know about the British Airways data breach?

Links on Head for Points may pay us an affiliate commission. A list of partners is here.

Friday was one of those occasional crazy days for us.  Whenever British Airways is leading the news agenda we are normally sucked along in the tailwind, whether we like it or not.  Thanks to everyone who shared their experiences and suggestions via our comments.

I popped up in the Daily Telegraph (see here), The Guardian and Daily Express and I did a segment for talkRADIO (listen here in the 14.30 segment, 5:11 in).  I was even invited on Good Morning Britain but unfortunately (or not) the invite arrived after I had gone to bed on Thursday.

What did we actually learn though?

The key revelation yesterday was the sheer breadth of data that was stolen.

British Airways BA 777X 777 9X

We know that 380,000 bookings were compromised.  These were made between 22:58 on 21st August and 21:45 on 5th September.  For all of those bookings, the hackers have your:

  • email address
  • postal address
  • credit card number
  • expiration date
  • CVV

…. according to Alex Cruz on Radio 4.  The CVV data gives a clue to how this happened.  Companies are not allowed to store CVV numbers.  This means that the data was stolen on the journey from the BA IT system to BA’s payment processing company.

Who was impacted?

It still isn’t clear.  British Airways has said that only bookers at and via the mobile app were affected.

However, various reports in our comments and elsewhere suggest that people who have booked via telephone and with BA Holidays are receiving emails saying their details are compromised.  People who have only had money REFUNDED are also reporting getting the email.  It is probably best to assume that any transaction you’ve made which led to a BA credit card charge or refund is likely to be at risk.

Am I at risk if I didn’t make a booking?

No.  Any stored cards you have at were not compromised.

No passport or flight data was stolen either, as this is not passed to the payment processing company.

Whilst now says “The personal and financial details of customers making or changing bookings on and the airline’s mobile app were compromised.”, my reading of this is that you only have issues if you made a change which incurred a change fee.  Paying the change fee will have exposed your card details.

Will BA be fined for this?

Almost certainly, under the new GDPR regime which came into force this year.  It is likely to be the first major penalty enforced since those rules were adopted.  It will be interesting to see what level it is set at, given that the cap is 4% of BA’s (huge) turnover.

IAG’s share price fell 3.6% yesterday morning as investors worries about compensation payments and the impact on future bookings but had recovered to a 1.35% fall by the end of the day.  The overall market was only down 0.55%.

Talking of the new regulations …..

This, from the ICO website, is what the Information Commissioners Office says a company has to tell its customers when it discovers a breachBritish Airways did not comply with this in its original email to those who were impacted, which is why it had to send a 2nd email last night.  These are the rules:

“You need to describe, in clear and plain language, the nature of the personal data breach and, at least:

  • the name and contact details of your data protection officer (if your organisation has one) or other contact point where more information can be obtained;
  • a description of the likely consequences of the personal data breach; and
  • a description of the measures taken, or proposed to be taken, to deal with the personal data breach and including, where appropriate, of the measures taken to mitigate any possible adverse effects.”

Should I pro-actively cancel my credit card?

There is no evidence yet of any card fraud linked to this breach.

This in itself is odd.  Why go to all the trouble of stealing this data if you are not going to cash in on it?

American Express has decided to do nothing.  If you want full peace of mind, I recommend reporting your card as ‘lost’ via the website which will trigger a new one.  Monzo, Starling, Virgin Money and Tesco Bank, amongst others have said that any card which was used for a BA transaction will automatically be replaced.

If you want to know more …..

There is a dedicated British Airways web page with more information which you can find here.

British Airways BA Amex American Express

How to earn Avios from UK credit cards (September 2021)

As a reminder, there are various ways of earning Avios from UK credit cards.  Many cards also have generous sign-up bonuses!

There are two official British Airways American Express cards. Both have increased sign-up bonuses until 2nd November 2021:

British Airways BA Amex American Express card

British Airways American Express

10,000 Avios for signing up, no annual fee and an Economy 241 voucher for spending ….. Read our full review

British Airways BA Premium Plus American Express Amex credit card

British Airways American Express Premium Plus

40,000 Avios and the UK’s most valuable credit card perk – the 2-4-1 companion voucher Read our full review

You can also get generous sign-up bonuses by applying for American Express cards which earn Membership Rewards points, such as:

Nectar American Express

American Express Preferred Rewards Gold

Your best beginner’s card – 20,000 points, FREE for a year & two airport lounge passes Read our full review

American Express Platinum card Amex

The Platinum Card from American Express

60,000 points and an unbeatable set of travel benefits – for a fee Read our full review

Run your own business?

We recommend Capital On Tap for limited companies. You earn 1 Avios per £1 which is impressive for a Visa card:

Capital On Tap Business Rewards Visa

The most generous Avios Visa or Mastercard for a limited company Read our full review

You should also consider the British Airways Accelerating Business credit card. This is open to sole traders as well as limited companies. This card has a limited time offer of 60,000 Avios when you sign up:

British Airways Accelerating Business American Express card

British Airways Accelerating Business American Express

60,000 Avios sign-up bonus – plus annual bonuses of up to 30,000 Avios Read our full review

Click here to read our detailed summary of all UK credit cards which earn Avios. This includes both personal and small business cards.

(Want to earn more Avios?  Click here to visit our home page for our latest articles on earning and spending your Avios points and click here to see how to earn more Avios this month from offers and promotions.)

Comments (105)

  • Shoestring says:

    I would hope the GDPR fine to BA will be proportionate.

    I’d have thought a £50K rap over the wrists would do it.

    Not as if anybody has suffered any direct losses – consequential losses would be different but if they were compensated for fairly, I can’t see why BA should be hung out to dry.

    • Rob says:

      I’m sure there are now people abroad whose credit cards have been closed on them. As I know from recent experience, changing the 10 or so regular payments against my HFP card when it was reissued took a long time.

      I am guessing £2m with a potential discount for swift disclosure.

    • delbert says:

      Shoestring’s doing a good job at trolling. We really don’t know what’s down the line for those affected so your words ring hollow.

      • Evan says:

        If you tho k that’s trolling you’ve lived a sheltered life. I think s/he is right.

  • Unlucky says:

    My husband and I were both affected by this – we redeemed companion fares last weekend since there was availability for a holiday period, and paid using our BA Amex. Although Amex has asked us not to take further action, I can’t really deal with having to monitor card usage so we’ve cancelled and ask for new cards.

    What I am concerned about is identity fraud now that our details are available for sale. Granted, name, email and address is probably available via other companies that we’ve signed up for, but this info is now available for sale publicly, and I’d imagine is sufficient for authentication purposes for some companies (“To proceed please provide your postcode, and email address…”). Is anyone else concerned about this?

    • Shoestring says:


      We all regularly sign up to umpteen companies with email, real name, address, phone etc. None of which info gets the villain very far on its own. If it does get the villain somewhere before you realise, & you lose out, then you get fully compensated by your bank etc.

      It only takes one rogue guy in IT or Finance to steal that info. Much good it would do them.

      If you want to live in a cave, live in a cave.

      The real victims will be Mr & Mrs Senile who later fall for a phone scam.

    • Roger1* says:

      Yes! I’m concerned.

      Not only have BA given away a whole lot of personal information about me, my BAPP card has almost 5 years to expiry. In spite of the reassurances, that’s far too long for comfort.

      I’m inclined to cancel for a new AmEx account. If I do, what happens to the promos I’m signed up for, e.g. 5,000 Avios for this, 3,000 avios for that? Do they transfer across automatically, or do I have to re-register? And those that are halfway through?

      Grateful for insight.

  • James Richardson says:

    Thanks Rob. another good read.

    When you say AMEX is doing nothing, my experience of their response is that they are saying you need to DO nothing as our their fraud detection capabilities will be monitoring and ar confident in being able to see erroneous transactions or behaviour, so that’s quite different.

    So it’s a positive ‘do nothing’ Rather than a lazy one.

    Hope this helps.

    • Rob says:

      Agreed, although some people would have preferred card replacements.

      • Margaret Brownlie says:

        I think that they are trying to avoid everyone asking for a replacement at once, though they seem capable of managing it better than anyone. I cancelled my card on Friday, and the new one arrived yesterday, less than 24 hours later!

  • Froggitt says:

    Claims in the Sunday Times that BA were/are not PCI compliant…..the international standard for keeping card details secure. They denied it.

  • Alex Sm says:

    Actually, this would be detrimental for ALL BA passengers, not just those affected by data loss: the hefty fine will mean more aggressive cost cutting, even worse customer care, more expensive fares etc. It’s a downward spiral really (writing this from onboard a reward BA flight after which I’m not going to consciously choose BA for flying)

  • Joe says:

    I’ve had a fraudulent charge on my Amex since the data breach – but that’s because I managed to dro p it whilst slightly inebriated in the US ????

  • luckyjim says:

    I’m finding it impossible to get through to Amex via chat today. I wonder if a lot of people are contacting them after reading the Sunday papers.

The UK's biggest frequent flyer website uses cookies, which you can block via your browser settings. Continuing implies your consent to this policy. Our privacy policy is here.