Maximise your Avios, air miles and hotel points

What more do we know about the British Airways data breach?

Links on Head for Points may support the site by paying a commission.  See here for all partner links.

Friday was one of those occasional crazy days for us.  Whenever British Airways is leading the news agenda we are normally sucked along in the tailwind, whether we like it or not.  Thanks to everyone who shared their experiences and suggestions via our comments.

I popped up in the Daily Telegraph (see here), The Guardian and Daily Express and I did a segment for talkRADIO.  I was even invited on Good Morning Britain but unfortunately (or not) the invite arrived after I had gone to bed on Thursday.

What did we actually learn though?

The key revelation yesterday was the sheer breadth of data that was stolen.

British Airways BA 777X 777 9X

We know that 380,000 bookings were compromised.  These were made between 22:58 on 21st August and 21:45 on 5th September.  For all of those bookings, the hackers have your:

  • email address
  • postal address
  • credit card number
  • expiration date
  • CVV

…. according to Alex Cruz on Radio 4.  The CVV data gives a clue to how this happened.  Companies are not allowed to store CVV numbers.  This means that the data was stolen on the journey from the BA IT system to BA’s payment processing company.

Who was impacted?

It still isn’t clear.  British Airways has said that only bookers at ba.com and via the mobile app were affected.

However, various reports in our comments and elsewhere suggest that people who have booked via telephone and with BA Holidays are receiving emails saying their details are compromised.  People who have only had money REFUNDED are also reporting getting the email.  It is probably best to assume that any transaction you’ve made which led to a BA credit card charge or refund is likely to be at risk.

Am I at risk if I didn’t make a booking?

No.  Any stored cards you have at ba.com were not compromised.

No passport or flight data was stolen either, as this is not passed to the payment processing company.

Whilst ba.com now says “The personal and financial details of customers making or changing bookings on ba.com and the airline’s mobile app were compromised.”, my reading of this is that you only have issues if you made a change which incurred a change fee.  Paying the change fee will have exposed your card details.

Will BA be fined for this?

Almost certainly, under the new GDPR regime which came into force this year.  It is likely to be the first major penalty enforced since those rules were adopted.  It will be interesting to see what level it is set at, given that the cap is 4% of BA’s (huge) turnover.

IAG’s share price fell 3.6% yesterday morning as investors worries about compensation payments and the impact on future bookings but had recovered to a 1.35% fall by the end of the day.  The overall market was only down 0.55%.

Talking of the new regulations …..

This, from the ICO website, is what the Information Commissioners Office says a company has to tell its customers when it discovers a breachBritish Airways did not comply with this in its original email to those who were impacted, which is why it had to send a 2nd email last night.  These are the rules:

“You need to describe, in clear and plain language, the nature of the personal data breach and, at least:

  • the name and contact details of your data protection officer (if your organisation has one) or other contact point where more information can be obtained;
  • a description of the likely consequences of the personal data breach; and
  • a description of the measures taken, or proposed to be taken, to deal with the personal data breach and including, where appropriate, of the measures taken to mitigate any possible adverse effects.”

Should I pro-actively cancel my credit card?

There is no evidence yet of any card fraud linked to this breach.

This in itself is odd.  Why go to all the trouble of stealing this data if you are not going to cash in on it?

American Express has decided to do nothing.  If you want full peace of mind, I recommend reporting your card as ‘lost’ via the website which will trigger a new one.  Monzo, Starling, Virgin Money and Tesco Bank, amongst others have said that any card which was used for a BA transaction will automatically be replaced.

If you want to know more …..

There is a dedicated British Airways web page with more information which you can find here.


How to earn Avios from UK credit cards

How to earn Avios from UK credit cards (June 2024)

As a reminder, there are various ways of earning Avios points from UK credit cards.  Many cards also have generous sign-up bonuses!

In February 2022, Barclaycard launched two exciting new Barclaycard Avios Mastercard cards with a bonus of up to 25,000 Avios. You can apply here.

You qualify for the bonus on these cards even if you have a British Airways American Express card:

Barclaycard Avios Plus card

Barclaycard Avios Plus Mastercard

Get 25,000 Avios for signing up and an upgrade voucher at £10,000 Read our full review

Barclaycard Avios card

Barclaycard Avios Mastercard

5,000 Avios for signing up and an upgrade voucher at £20,000 Read our full review

There are two official British Airways American Express cards with attractive sign-up bonuses:

British Airways American Express Premium Plus

25,000 Avios and the famous annual 2-4-1 voucher Read our full review

British Airways American Express

5,000 Avios for signing up and an Economy 2-4-1 voucher for spending £15,000 Read our full review

You can also get generous sign-up bonuses by applying for American Express cards which earn Membership Rewards points. These points convert at 1:1 into Avios.

American Express Preferred Rewards Gold

Your best beginner’s card – 30,000 points (TO 16TH JULY), FREE for a year & four airport ….. Read our full review

The Platinum Card from American Express

40,000 bonus points and a huge range of valuable benefits – for a fee Read our full review

Run your own business?

We recommend Capital on Tap for limited companies. You earn 1 Avios per £1 which is impressive for a Visa card, along with a sign-up bonus worth 10,500 Avios.

Capital on Tap Business Rewards Visa

10,000 points bonus – plus an extra 500 points for our readers Read our full review

There are also generous bonuses on the two American Express Business cards, with the points converting at 1:1 into Avios. These cards are open to sole traders as well as limited companies.

American Express Business Platinum

40,000 points sign-up bonus and an annual £200 Amex Travel credit Read our full review

American Express Business Gold

20,000 points sign-up bonus and FREE for a year Read our full review

Click here to read our detailed summary of all UK credit cards which earn Avios. This includes both personal and small business cards.

Comments (105)

This article is closed to new comments. Feel free to ask your question in the HfP forums.

  • Sukh Nandhra says:

    What if I entered card/personal details where I am claiming for a flight delay compensation on the BA website ?

  • Simon Cross says:

    I bought a flight online at ba.com in this period using my Lloyds duo Amex card.

    Called Lloyds last night. Was advised that I did not need to do anything except to monitor my account carefully but decided to ask for a replacement card as I am not prepared to run the risk.

    New card on its way.

    The concern remains however that the thieves may use the data for other “identity fraud” purposes apart from just trying to charge to my card which of course they now cant.

    I now never store my card details on any site but enter them afresh each time but I have yet to find a way to delete stored card details from sites where I have stored them in the past – maybe I have to call each site to ask for this – such a time consuming operation.

    • Doug M says:

      I don’t know what’s the best approach. But storing your card on the site means the data travels less, as they already have the details and require only the CVV. You take your pick between do you trust BA to properly encrypt and store you info, versus the increased risk of repeated data transmissions each time you buy.

  • JP says:

    Will my details have been compromised if I have made an hotel booking using Avios on the BA website? I have received no notification or emails from BA.

  • Waribai says:

    Are you sure Rob that they have to give the name of the dp officer?

    The second email I received simply has this at the end
    “Once again, we truly apologise for any worry and inconvenience this criminal activity has caused. Our contact numbers can be found at ba.com, or you can email our Data Protection Officer at DPO@ba.com.”

  • B Brooks says:

    Not sure that AMEX are doing nothing.. I received an email from them specifically about the breach stating they are monitoring accounts.

    • YamYam says:

      Amex have also cancelled my BA Amex card used to purchase tickets in the affected period and are sending me a replacement with a new number.

    • Adey says:

      I called Amex and was told no need to cancel card, enhanced monitoring of all cards affected was in place but to check for fraudulent payments more frequently. Also, fully covered, no financial loss etc etc.

      I’m happy with that. Amex fraud detection seems to be very good. My bank on the other hand…..

  • danam says:

    “There is no evidence yet of any card fraud linked to this breach.”

    Simply not true. Lots of reports are out there. Not least from myself who had a whole 16 hours of repeated fraudulent activity on my (only recently issued) card. I was blaming a hotel I stayed in as that was the only place that I had physically handed the card to somebody. Then, this information comes up on Thursday.

    I booked flights at the start of the period.

    • Anna says:

      If you don’t mind saying, what we’re the type/amount of fraudulent transactions? It might help other readers to spot similar movement on their own accounts.

      • Nigel the Pensioner says:

        Uber cab fares in Europe (- where you haven’t been!)
        O2 mobile phone top ups (- even if youre not on O2 or allied provider like giff gaff)
        These 2 have been regulars…..
        But don’t expect anything until probably December when card activity takes off and unusual spending occurs on everyone’s cards.

        The one time my BA AmEx card was fraudulently used, was on a MIA to LHR overnight flight to buy duty free. I had flown long haul with BA 6 weeks previously and bought some stuff on board. I am lead to believe that (very disappointingly) it was a crew member who had noted my card details and used the card for an identifiable purchase! Now with them having to see passports as well, I guess this little scam has been buried – for now.

      • danam says:

        Canadian Netflix was one.

        The vast majority of the transactions were MBI PROBILLER, which is a payment provider for small websites I understand.

    • Rob says:

      There is no consistent pattern. You may be unlucky. The Lloyds Amex fraud last year involved thousands of cards all used in the US in the same week.

  • Andreas says:

    If I made a booking for a BA flight via Iberia website (IB codeshare) could I be affected? Tx

  • Nigel the Pensioner says:

    1) It is highly unlikely for any significant fraudulent activity to occur on cards with longer expiry dates, for many weeks. Be vigilant in December when all sorts of atypical transactions always take place!
    2) Your email address being compromised is an issue. How are BA going to compensate you for the hassle and aggro of dealing with the spam that you will receive and the blocking of your email address as a spammer every time you try to send an email – of which some will be important? At best they will end up in the recipients junk box unread if not completely blocked. You may have to completely change your email address (which is also the login for many sites) and advise hundreds of organisations and people of your new details.
    3) If you have a vote, your name and address is on the electoral register for any T D or H to pay to see. Don’t worry about the card breach from this angle. How else do you think Saga get your details to keep sending you stuff, which you put straight in the bin as it has always been overpriced?
    4) Alex Cruz should get back to loading and unloading baggage.

    • EvilGazebo says:

      Re 2), this is why I have my own domain and when I sign up to *anything* I use the email address “namenofthethingImsigningupto@mydomain.net”

      Any breach, I just set a rule to block/direct anything from that address to junk. Plus it lets me see who has been compromised even if they don’t announce it……

      • Adey says:

        Me too. Works a treat!

        PS I am on my first email address for here. Well done Rob 🙂

    • Nick_C says:

      Re the Electoral Register. You can, and should, opt out of the Open Register – the one that is sold commercially.

      See https://ico.org.uk/your-data-matters/electoral-register/ for more information about this issue

This article is closed to new comments. Feel free to ask your question in the HfP forums.

The UK's biggest frequent flyer website uses cookies, which you can block via your browser settings. Continuing implies your consent to this policy. Our privacy policy is here.