Maximise your Avios, air miles and hotel points

Interesting Sunday Times piece on the British Airways data breach and compensation

Links on Head for Points may support the site by paying a commission.  See here for all partner links.

I have tried to avoid running speculative articles about the British Airways data breach, since few of us can speak with real expert knowledge and even fewer know how the company really operates.

The Sunday Times, however, had a very interesting piece this week which I thought was worth quoting.  They spoke with a consultant called Ben Oguntala who actually worked on fraud prevention at BA’s Waterside head office and who quit after his guidance was ignored.

To quote:

What caused the British Airways data breach?

“Oguntala, 44, founder of the card security company Payments & Co, said he was hired to help improve card payment security. But he discovered the airline had failed the international standard for card payments, called the payment card industry (PCI) data security standard, last year. The failure was not reported in the airline’s annual report.

One internal document presented at a BA meeting in April this year states: “British Airways holds a lot of sensitive payment card data. BA are subjected to the international security standard — PCI data security standard.

“By achieving compliance BA are proving to themselves, their customers and their supervisory bodies that BA are suitably protecting payment card data from malicious attack . . . In December 2017, BA failed to achieve PCI compliance.”

The document warned that an outdated system, ArcSight, was being used to store security data relating to card transactions. It is described in the document as “redundant”, “severely undermined” and “prone to failure”. The document is marked IAG GBS, which is the global business services division of BA’s parent company IAG.

Oguntala said he was shocked at the lax security surrounding credit and debit card payments at BA. “The security was woeful,” he said. “There was card data everywhere and there were no proper controls on where it was going and who was getting access.”

Oguntala, who worked for a team that reported to BA’s information security and compliance manager, considered the entire payment system needed to be radically overhauled — with a new security protocol known as tokenisation. He said he left after his advice was rejected.”

As I said above, this is a quote from an article in The Sunday Times and I have not done any additional verification, but it does have a ring of truth to it.

The full article is here but behind a paywall.

The Times suggests £1,250 per head compensation

Will there be any cash compensation for the data breach?

Without wanting to dampen your hopes, I have very little faith that the £475 million legal suit against British Airways, highlighted in The Times yesterday, will go anywhere.

The (ironically named, for those of us in the loyalty sector) firm of SPG Law is apparently planning a class action lawsuit.  SPG Law is part of a large US law group and so has experience in the class action field, although they are rarely seen in the UK.

Apparently I would be due (£475,000,000 divided by 380,000 people) £1,250 for the “inconvenience, distress and misuse” of my private information. 

More accurately – if we look at the figures for the recent US class action lawsuit brought against British Airways for comparison, where the lawyers took 28% of the settlement as their fee – SPG Law would receive £120 million and I would be due £900.

In reality, we don’t know how the courts will interpret the new GDPR rules on fines for data leakage.  British Airways acted promptly and has not sought to hide anything, it seems, so it would expect a substantial discount for good behaviour.

The original story in The Times is here but, again, is behind a paywall.

PS. If you are not a regular Head for Points visitor, why not sign up for our FREE weekly or daily newsletters? They are full of the latest Avios, airline, hotel and credit card points news and will help you travel better. To join our 65,000 free subscribers, click the button below or visit this page of the site to find out more. Thank you.

How to earn Avios from UK credit cards

How to earn Avios from UK credit cards (April 2025)

As a reminder, there are various ways of earning Avios points from UK credit cards.  Many cards also have generous sign-up bonuses!

In February 2022, Barclaycard launched two exciting new Barclaycard Avios Mastercard cards with a bonus of up to 25,000 Avios. You can apply here.

You qualify for the bonus on these cards even if you have a British Airways American Express card:

Barclaycard Avios Plus card

Barclaycard Avios Plus Mastercard

Get 25,000 Avios for signing up and an upgrade voucher at £10,000 Read our full review

Barclaycard Avios card

Barclaycard Avios Mastercard

Get 5,000 Avios for signing up and an upgrade voucher at £20,000 Read our full review

There are two official British Airways American Express cards with attractive sign-up bonuses:

British Airways American Express Premium Plus

30,000 Avios and the famous annual 2-4-1 voucher Read our full review

British Airways American Express

5,000 Avios for signing up and an Economy 2-4-1 voucher for spending £15,000 Read our full review

You can also get generous sign-up bonuses by applying for American Express cards which earn Membership Rewards points. These points convert at 1:1 into Avios.

SPECIAL OFFER: Until 27th May 2025, the sign-up bonus on the ‘free for a year’ American Express Preferred Rewards Gold card is increased from 20,000 Membership Rewards points to 30,000 points. Points convert 1:1 into Avios (30,000 Avios!) and many other programmes. Some people may see even higher personalised offers. Click here to apply.

SPECIAL OFFER: Until 27th May 2025, the sign-up bonus on American Express Platinum is increased from 50,000 Membership Rewards points to a huge 80,000 points. Points convert 1:1 into Avios (80,000 Avios!) and many other programmes. Some people may see even higher personalised offers. Click here to apply.

American Express Preferred Rewards Gold

Your best beginner’s card – 30,000 points, FREE for a year & four airport lounge passes Read our full review

The Platinum Card from American Express

80,000 bonus points and great travel benefits – for a large fee Read our full review

Run your own business?

We recommend Capital on Tap for limited companies. You earn 1 Avios per £1 which is impressive for a Visa card, and the standard card is FREE. Capital on Tap cards also have no FX fees.

Capital on Tap Visa

NO annual fee, NO FX fees and points worth 1 Avios per £1 Read our full review

Capital on Tap Pro Visa

10,500 points (=10,500 Avios) plus good benefits Read our full review

There is also a British Airways American Express card for small businesses:

British Airways American Express Accelerating Business

30,000 Avios sign-up bonus – plus annual bonuses of up to 30,000 Avios Read our full review

There are also generous bonuses on the two American Express Business cards, with the points converting at 1:1 into Avios. These cards are open to sole traders as well as limited companies.

American Express Business Platinum

50,000 points when you sign-up and an annual £200 Amex Travel credit Read our full review

American Express Business Gold

20,000 points sign-up bonus and FREE for a year Read our full review

Click here to read our detailed summary of all UK credit cards which earn Avios. This includes both personal and small business cards.

Category

British Airways and Avios

Comments (80)

This article is closed to new comments. Feel free to ask your question in the HfP forums.

  • Chopin says:
    11 Sep11 September 06:04

    I heared TV Licensing website also been accessed, data between 29 August and 5 September which is similar to BA case. I am there are much more place didnt exposed~

  • Kevino says:
    11 Sep11 September 06:18

    It seems only fair that whatever sum BA are fined is divided equally among those customers affected, as it was their data, so they are the ones who suffered, nobody centrally.

    • Shoestring says:
      11 Sep11 September 08:14

      There’s no history of regulator/ ombudsman fines of this nature getting divvied up amongst the victims, in this case cardholders.

      Class action suit from USA? Yes, I’d sign up for it (if permissible).

      I’d be surprised if any compo were higher than actual damages caused.

  • Simon Cross says:
    11 Sep11 September 06:18

    Just deleted all my stored credit card information which was held on the BA website.

    It may be a pain but these days I don’t store any card information anywhere and enter it afresh every time.

    Also use an encrypted browser (part of ESET) whenever online shopping and paying for stuff.

    • Clive says:
      11 Sep11 September 07:54

      Given that this seems to be about information being taken in transit and not from a database, I’m not sure ‘entering it afresh every time’ leaves someone better off…

      • Matt says:
        11 Sep11 September 08:51

        While that is true, this article appears to shed some light on the lax data security standards and lack of PCI certification at BA, certification which is specifically in place to govern both the transfer and storage of card data.

        If they can’t even adhere to PCI standards, I’d be as concerned about my card data being stored in BA as I would be about this breach which managed to nab them as they passed through.

      • Chris says:
        12 Sep12 September 18:31

        Indeed

        And ‘Encrypted Browser’ sounds very CSI to me too

  • Tom says:
    11 Sep11 September 06:23

    A couple of months ago, I accidentally paid for a flight through the BA website using my other half’s AMEX. His card details had pre-populated (being saved on the account), but I entered the CVV code for my own card, not paying attention. The transaction went through successfully. I wondered how that could possibly work…

    I don’t have any specialist knowledge of IT/payment systems, but based on that experience, I’m not surprised that they aren’t on top of PCI.

    • Bagoly says:
      11 Sep11 September 06:40

      At one stage the CVV codes on my wife’s and my BAPPs were the same!
      There’s a one in 10,000 chance of that, and I do not consider that a weakness of Amex.

      • John says:
        11 Sep11 September 10:10

        My very first Amex, 8 years ago, long since cancelled, had the CVV of 1234. Being new to Amex I thought the number on the front was just part of the card design, especially when I ordered a supplementary for my wife and the CVV was also 1234!

        What are the chances of getting a number that seems meaningful as well as two cards having the same number?

        In the first month I didn’t use the card online, so didn’t even know that number was important for some time. The other funny thing was that Amex’s website asked me for a memorable date and I entered 1234 and it worked, which was a bit awkward when they asked for it on the phone (not sure whether they should have asked for it on the phone, but was an Amex n00b back then).

        • Alex Sm says:
          11 Sep11 September 10:22

          I had a bank account ending in 2003 opened in 2003 so I was thinking for good ten years or so that everyone had the same thing – last four digits were the same as the year of account opening!

        • CV3V says:
          11 Sep11 September 16:19

          My first Amex card had a CVV of 1234 also!

      • Andy says:
        11 Sep11 September 11:37

        Genuinely curious here (and more than a dash of pedantic), but isn’t it less than 10,000? I had always presumed that certain numbers weren’t used/allowed for CVV, like 1234 or 0000.

        • Chris says:
          11 Sep11 September 12:52

          If you’re going for pedantic I’d stick to ‘fewer’ as opposed to ‘less’

          🙂

    • Speedbird-abz says:
      11 Sep11 September 06:57

      Exactly the same happened to me. I’ve been concerned about BA’s security since then but of course didn’t delete our stored card details and were involved in last week’s debacle.

    • Anna says:
      11 Sep11 September 07:24

      Occasionally if my OH half enters his log in details after I’ve logged out, it still goes to my account! I don’t know if the issue is with BA or our ageing laptop.

      • Tilly says:
        11 Sep11 September 08:25

        Same happens to me and my husband Anna. Log out but doesn’t actually log me out – happens on all our devices.

      • Lady London says:
        11 Sep11 September 11:30

        Cookies most probably. If sharing systems then advice is to clear cookies etc. as well as making sure to log out and not just close the app. Can do at browser level otherwise with third party offerings including such as ccleaner

    • Matt says:
      11 Sep11 September 08:57

      A CVV match is more akin to a check for the retailer as part of assessing the risk factor of a card, rather than a password to unlock the usage of it. A retailer can still choose to accept payment from a card that fails the CVV check, although it obviously increases the fraud risk and I don’t think payment providers will be particularly happy if you’re constantly accepting failed CVV payments.

      Conspiracy theory hat probably even says that they may be chucking the CVV away before even doing checks due to the lack of PCI certification.

    • Sam says:
      11 Sep11 September 10:23

      CVV is not strictly necessary for a transaction to take place. It is there to help prevent fraud, similar to postcode and expiry date. In reality, the only number one needs to make a payment is the long number.

    • Bob says:
      11 Sep11 September 10:46

      Payment forms doesn’t always check CVV for saved cards.
      If the risk is small, ie; address is same, buyer has same surname, websites can lighten the security and fraud checks for saved cards.

  • Paul says:
    11 Sep11 September 06:29

    I am not sure that any discount for good behaviour is merited if, as suggested they ignored advice and were operating a system that was simply an accident waiting to happen.
    BAs initial response was a non compliant email which added to the concerns. Amex in my case provided me with far more reassurance. BA then sent a second compliant email albeit they did not name their DPO.
    If the article is true then they there is higher culpability and no matter how quickly the shut the door after the horse had bolted, it doesn’t alter the fact that the door didn’t have a bolt , because they were deliberately cost cutting.

  • Kevin says:
    11 Sep11 September 06:47

    Actually, I highly doubt this version. Even if he’s worked on the system, it’s just not plausible for ArcSight to be responsible. If it was, they would’ve had access to *all* the CC data, and not just ‘transient’ data. This looks far more like the ‘Ticketmaster NZ’ hack, where a 3rd party provider was compromised, and malicious javascript was able to read the card data in the payment processing form. If you download the Chrome extension ‘built with’, you’ll see they use a Myriad of third party stuff: It’s entirely plausible that one of their accounts (Google Analytics etc) was compromised, and this enabled the JS to be inserted.

    I’ve worked with ArcSight in the past (awful, awful product) and if that was compromised, we would be dealing with a much bigger issue than a breach of transient data.

    Anyway, that’s my take on it. Could be equally as wrong!

    • DWB1873 says:
      11 Sep11 September 07:39

      I agree.

      And this guy has an axe to grind – sure he “left” after they didn’t take his advice – but it could be his advice was rubbish.

      It’s the CVVs that make this one interesting. They got the data in transit. They didn’t get the core DB – as you say, the scale of that would be a different magnitude.

      It’s expected but disappointing to see how everyone has a fix and the sales people are no doubt doing great business playing off people’s fears.

      Also frightening to see some Business leaders crowing about how it won’t happen to them. Without knowing how it was done? Really. You have to assume you are comprised – to believe you aren’t based on shallow beliefs is foolish.

      What I hope, but do not expect, is a full breakdown in due course that allows the rest of us to carefully manage whatever went wrong here in our own systems. That would be a useful outcome from a bad event.

      Pitchforks at dawn, crowing and point scoring, not so much.

    • Neil says:
      11 Sep11 September 08:33

      I agree with this (working, as I do, in software development for a fairly large travel booking site…). If this was a back-end breach, then they would have walked off with everything. This has the makings of a 3rd party component being compromised leading to malicious javascript harvesting the card data directly off the site as it was entered.

      However, the PCI failure is still very serious. They have no excuse to not be tokenising card details by passing them through a secure proxy that hosts the card number and cvv fields.

      • Thywillbedone says:
        11 Sep11 September 08:55

        To fail PCI compliance is beyond serious for a business the size of BA. To not disclose this while claiming on the website that “Saving your payment details is safer than re-entering them each time you buy on ba.com” etc beggars belief. Knowing businesses in the payments space, PCI compliance is a board-level matter so it will be interesting to find out who knew what and when (if indeed the claims in the article are true).

      • Joe A says:
        11 Sep11 September 09:11

        Your HQ wouldn’t happen to be in Amsterdam would it? Greetings from your new Manchester office, if so.

    • EvilGazebo says:
      11 Sep11 September 08:34

      100% agree

  • Doug M says:
    11 Sep11 September 07:25

    The piece maybe interesting but we’re firmly in the speculative area here. After his advice was ignored he left. Or as the other side if any argument might say, when their contract wasn’t renewed they were bitter and looking to score points. Until, and it may be never, we find out what really happened it’s a big load of nothing.

    We can all speculate based on what’s been said of the data leak, but that’s all it is, speculation.

  • IanMacK says:
    11 Sep11 September 08:02

    I frequently book flights for my daughter up and down from/to London.
    I book Avios reward seats for her and my wife.
    The BA website is a real pain when it gets to the question ‘is the person paying travelling ?’ (or similar)
    If I say no and then try to add my details the website goes haywire.
    Now I just say yes (when clearly I’m not), enter my daughter as the passenger but my own credit card details and booking is processed …

    • John says:
      11 Sep11 September 10:15

      Amex doesn’t check the name on cards and some (all?) Visa/MC don’t either, so that’s why it works.

      However, there is a small risk of your daughter being asked for your credit card if she needs to check-in at an airport desk. Never happened to me but I vaguely recall something on HFP saying it happened to someone.

      • Fenny says:
        11 Sep11 September 20:02

        I have different cards I use for buying everyday stuff in GBP and others that I take when I travel abroad to pay in forrin. Unless I was specifically told I MUST present the card I paid for a flight on, chances are I wouldn’t have it with me when travelling. And given how often HfPers seem to churn, after buying at T-355, it’s quite possible lots of others wouldn’t either.

This article is closed to new comments. Feel free to ask your question in the HfP forums.

New to Head for Points?

Welcome!  We’re the UK’s most-read source of business travel, Avios, frequent flyer and hotel loyalty news. Let us improve how you travel. Got any questions? Ask them in our forums.

Get 25,000 Avios with the Barclaycard Avios Plus Mastercard

GET A SIGN-UP BONUS OF 18,000 VIRGIN POINTS!

Latest Forum Posts

Get 80,000 bonus points (worth 80,000 Avios) and £400 of dining credit with The Platinum Card (Offer ends 27th May)

Check reward flight availability instantly for free!

See a whole year of reward seat availability on one page at SeatSpy.com

Get up to 10,000 bonus Hilton Honors points

Booking a luxury hotel?

Our luxury hotel booking service offers you GUARANTEED extra benefits over booking direct. Works with Four Seasons, Mandarin Oriental, The Ritz Carlton, St Regis and more. We've booked £1.7 million of rooms to date. Click for details.

SME? GET THE ONLY FREE SMALL BUSINESS CREDIT CARD WHICH CAN EARN AVIOS

Get points worth 30,000 Avios with 'first year free' American Express Gold (ends 27th May)

The UK's biggest frequent flyer website uses cookies, which you can block via your browser settings. Continuing implies your consent to this policy. Our privacy policy is here.

Got it!