Maximise your Avios, air miles and hotel points

What more do we know about the British Airways data breach?

Links on Head for Points may support the site by paying a commission.  See here for all partner links.

Friday was one of those occasional crazy days for us.  Whenever British Airways is leading the news agenda we are normally sucked along in the tailwind, whether we like it or not.  Thanks to everyone who shared their experiences and suggestions via our comments.

I popped up in the Daily Telegraph (see here), The Guardian and Daily Express and I did a segment for talkRADIO.  I was even invited on Good Morning Britain but unfortunately (or not) the invite arrived after I had gone to bed on Thursday.

What did we actually learn though?

The key revelation yesterday was the sheer breadth of data that was stolen.

British Airways BA 777X 777 9X

We know that 380,000 bookings were compromised.  These were made between 22:58 on 21st August and 21:45 on 5th September.  For all of those bookings, the hackers have your:

  • email address
  • postal address
  • credit card number
  • expiration date
  • CVV

…. according to Alex Cruz on Radio 4.  The CVV data gives a clue to how this happened.  Companies are not allowed to store CVV numbers.  This means that the data was stolen on the journey from the BA IT system to BA’s payment processing company.

Who was impacted?

It still isn’t clear.  British Airways has said that only bookers at ba.com and via the mobile app were affected.

However, various reports in our comments and elsewhere suggest that people who have booked via telephone and with BA Holidays are receiving emails saying their details are compromised.  People who have only had money REFUNDED are also reporting getting the email.  It is probably best to assume that any transaction you’ve made which led to a BA credit card charge or refund is likely to be at risk.

Am I at risk if I didn’t make a booking?

No.  Any stored cards you have at ba.com were not compromised.

No passport or flight data was stolen either, as this is not passed to the payment processing company.

Whilst ba.com now says “The personal and financial details of customers making or changing bookings on ba.com and the airline’s mobile app were compromised.”, my reading of this is that you only have issues if you made a change which incurred a change fee.  Paying the change fee will have exposed your card details.

Will BA be fined for this?

Almost certainly, under the new GDPR regime which came into force this year.  It is likely to be the first major penalty enforced since those rules were adopted.  It will be interesting to see what level it is set at, given that the cap is 4% of BA’s (huge) turnover.

IAG’s share price fell 3.6% yesterday morning as investors worries about compensation payments and the impact on future bookings but had recovered to a 1.35% fall by the end of the day.  The overall market was only down 0.55%.

Talking of the new regulations …..

This, from the ICO website, is what the Information Commissioners Office says a company has to tell its customers when it discovers a breachBritish Airways did not comply with this in its original email to those who were impacted, which is why it had to send a 2nd email last night.  These are the rules:

“You need to describe, in clear and plain language, the nature of the personal data breach and, at least:

  • the name and contact details of your data protection officer (if your organisation has one) or other contact point where more information can be obtained;
  • a description of the likely consequences of the personal data breach; and
  • a description of the measures taken, or proposed to be taken, to deal with the personal data breach and including, where appropriate, of the measures taken to mitigate any possible adverse effects.”

Should I pro-actively cancel my credit card?

There is no evidence yet of any card fraud linked to this breach.

This in itself is odd.  Why go to all the trouble of stealing this data if you are not going to cash in on it?

American Express has decided to do nothing.  If you want full peace of mind, I recommend reporting your card as ‘lost’ via the website which will trigger a new one.  Monzo, Starling, Virgin Money and Tesco Bank, amongst others have said that any card which was used for a BA transaction will automatically be replaced.

If you want to know more …..

There is a dedicated British Airways web page with more information which you can find here.


How to earn Avios from UK credit cards

How to earn Avios from UK credit cards (June 2024)

As a reminder, there are various ways of earning Avios points from UK credit cards.  Many cards also have generous sign-up bonuses!

In February 2022, Barclaycard launched two exciting new Barclaycard Avios Mastercard cards with a bonus of up to 25,000 Avios. You can apply here.

You qualify for the bonus on these cards even if you have a British Airways American Express card:

Barclaycard Avios Plus card

Barclaycard Avios Plus Mastercard

Get 25,000 Avios for signing up and an upgrade voucher at £10,000 Read our full review

Barclaycard Avios card

Barclaycard Avios Mastercard

5,000 Avios for signing up and an upgrade voucher at £20,000 Read our full review

There are two official British Airways American Express cards with attractive sign-up bonuses:

British Airways American Express Premium Plus

25,000 Avios and the famous annual 2-4-1 voucher Read our full review

British Airways American Express

5,000 Avios for signing up and an Economy 2-4-1 voucher for spending £15,000 Read our full review

You can also get generous sign-up bonuses by applying for American Express cards which earn Membership Rewards points. These points convert at 1:1 into Avios.

American Express Preferred Rewards Gold

Your best beginner’s card – 30,000 points (TO 16TH JULY), FREE for a year & four airport ….. Read our full review

The Platinum Card from American Express

40,000 bonus points and a huge range of valuable benefits – for a fee Read our full review

Run your own business?

We recommend Capital on Tap for limited companies. You earn 1 Avios per £1 which is impressive for a Visa card, along with a sign-up bonus worth 10,500 Avios.

Capital on Tap Business Rewards Visa

10,000 points bonus – plus an extra 500 points for our readers Read our full review

There are also generous bonuses on the two American Express Business cards, with the points converting at 1:1 into Avios. These cards are open to sole traders as well as limited companies.

American Express Business Platinum

40,000 points sign-up bonus and an annual £200 Amex Travel credit Read our full review

American Express Business Gold

20,000 points sign-up bonus and FREE for a year Read our full review

Click here to read our detailed summary of all UK credit cards which earn Avios. This includes both personal and small business cards.

Comments (105)

This article is closed to new comments. Feel free to ask your question in the HfP forums.

  • Mark says:

    There’s been loads of fraudulent transactions from stolen cards.

    • Rob says:

      There haven’t. Not in the tens of thousands that you would expect. Any random sample of 380,000 people will see some fraud over a two week period.

  • Mark says:

    I’m thinking I might take them to court for the inconvenience, just a few hundred ££.

    Wouldn’t it be funny if everyone did 🙂

    • Russ says:

      No need for court. Just send them a polite letter what you think is reasonable and expect them to come back with a lesser offer of cash plus a reduction off future holidays, flights, avios and so forth.£500 is my base rate.

  • Alex says:

    I changed my seat on 4 bookings during the period and agree with Rob there should be no impact because my credit card details were t required as it was free. However it’d be nice for BA to confirm that to our quite a few people’s concerns to rest!

  • Cheshire Pete says:

    I made 2 bookings at 20:30 which was a little over 2 hours before the time involved so I’m presuming I’m safe! Hence didn’t get the BA email. I also changed one of my flights same day free of charge on Aug 31st, which did generate an updated booking email receipt of £0 to my card on record, which I also presume is safe as that process didn’t activate the payment processing window.

  • Andrew S says:

    So, with a potential fine of up to £500m under GDPR, this is almost certainly more than the savings made in moving call centres to India… well done Willy Walsh! ????????

    • Simon says:

      I’m unclear what the connection is here? How does the movement of call centres to India impact underlying IT which could surely have been hacked anywhere in the world?

      • Mike says:

        I guess the connection from Andrew’s point of view is karma. Would keeping the call centres in the UK have prevented the breach? No. But if you’re scrappy, a penny pincher, and you implement service cuts left, right and centre, then expect the universe to come back at you.

    • Big dave says:

      If we actually read the GDPR EU directives – they do state the fine of 4% of turnover is a maximum fine which would be levied if the guilty party makes a dogs ear of the whole thing by being found negligent, failing to report to customers in a timely fashion etc etc… so maybe they get fined a 1% in the end – but will depend on how they have handled the situation and if their own GDPR procedures led to this breach or not – plus they have insurance against these things right?

  • Sandra says:

    I booked via BA Holidays using the Executive Club log in & also use the BA app. Between the 2 dates I did nothing other than log in to check in online for our flights. I have received the emails so presumably that means, regardless of if a financial transaction was made or not during that time, there is still some risk to both my Amex account & any stored info held by BA?

  • David says:

    It really is time the banks took a lead on these issues. It is ridiculous that each company can store and process sensitive data like this.

    Why not have centralised processing like PayPal where no retailer needs to store your card data?

    The banks should collaborate on something like this that just passes a secure token to the retailer.

    If BA has allowed rogue code to be introduced into its central systems who knows what other code is already there capturing all manner of things.

    I assume they will do a full review of all their customer and maintenance systems as well as changing all their internal passwords and improving code reviews when changes are done.

    • Doug M says:

      How does Paypal help? Why couldn’t a hacker exploit the link between BA and Paypal the same way they seemingly did here? Also, doesn’t this double the risk, exploit the link between BA and Paypal, exploit the link between Paypal and payment method?

  • Roger1* says:

    Nigel (08:00) made some (extra-)interesting points.

    Re Nigel/1: My BAPP card doesn’t expire until 2023! This would theoretically allow misdeeds for almost 5 years. No matter how happy I am with AmEx and how disgusted I am with BA, I’m unhappy about the 5 years span. I have to take action here.

    Re Nigel/2: My e-mail address includes my own domain. I am extremely disinclined to change my e-mail address except under extreme duress. Given that BA have offered the spammers the info that Rob mentions AND of course my name, I could be wide open to identity theft. Pondering what to do next.

    • Russ says:

      +1 and add in changes to headed note paper, business cards. The implications for business users are wider than people first think.

    • Bagoly says:

      A friend showed me a solution for this twenty years ago which I adopted:
      Set up a default email address, and then give each website a unique disposable address, E.g. flying.ba@ – you do *not* set these up, just give them out.
      “The default email address receives any mail that is sent to an invalid email address for your domain.”

      Not all hosting providers will so this in standard packages: Inmotion does not, Siteground does.

      Interestingly enough, one of the innovations from Revolut (and other fintechs?) is virtual cards – so one can change the number at any time, and now disposable ones – used only for one day.

This article is closed to new comments. Feel free to ask your question in the HfP forums.

The UK's biggest frequent flyer website uses cookies, which you can block via your browser settings. Continuing implies your consent to this policy. Our privacy policy is here.