Maximise your Avios, air miles and hotel points

Interesting Sunday Times piece on the British Airways data breach and compensation

Links on Head for Points may support the site by paying a commission.  See here for all partner links.

I have tried to avoid running speculative articles about the British Airways data breach, since few of us can speak with real expert knowledge and even fewer know how the company really operates.

The Sunday Times, however, had a very interesting piece this week which I thought was worth quoting.  They spoke with a consultant called Ben Oguntala who actually worked on fraud prevention at BA’s Waterside head office and who quit after his guidance was ignored.

To quote:

What caused the British Airways data breach?

“Oguntala, 44, founder of the card security company Payments & Co, said he was hired to help improve card payment security. But he discovered the airline had failed the international standard for card payments, called the payment card industry (PCI) data security standard, last year. The failure was not reported in the airline’s annual report.

One internal document presented at a BA meeting in April this year states: “British Airways holds a lot of sensitive payment card data. BA are subjected to the international security standard — PCI data security standard.

“By achieving compliance BA are proving to themselves, their customers and their supervisory bodies that BA are suitably protecting payment card data from malicious attack . . . In December 2017, BA failed to achieve PCI compliance.”

The document warned that an outdated system, ArcSight, was being used to store security data relating to card transactions. It is described in the document as “redundant”, “severely undermined” and “prone to failure”. The document is marked IAG GBS, which is the global business services division of BA’s parent company IAG.

Oguntala said he was shocked at the lax security surrounding credit and debit card payments at BA. “The security was woeful,” he said. “There was card data everywhere and there were no proper controls on where it was going and who was getting access.”

Oguntala, who worked for a team that reported to BA’s information security and compliance manager, considered the entire payment system needed to be radically overhauled — with a new security protocol known as tokenisation. He said he left after his advice was rejected.”

As I said above, this is a quote from an article in The Sunday Times and I have not done any additional verification, but it does have a ring of truth to it.

The full article is here but behind a paywall.

The Times suggests £1,250 per head compensation

Will there be any cash compensation for the data breach?

Without wanting to dampen your hopes, I have very little faith that the £475 million legal suit against British Airways, highlighted in The Times yesterday, will go anywhere.

The (ironically named, for those of us in the loyalty sector) firm of SPG Law is apparently planning a class action lawsuit.  SPG Law is part of a large US law group and so has experience in the class action field, although they are rarely seen in the UK.

Apparently I would be due (£475,000,000 divided by 380,000 people) £1,250 for the “inconvenience, distress and misuse” of my private information. 

More accurately – if we look at the figures for the recent US class action lawsuit brought against British Airways for comparison, where the lawyers took 28% of the settlement as their fee – SPG Law would receive £120 million and I would be due £900.

In reality, we don’t know how the courts will interpret the new GDPR rules on fines for data leakage.  British Airways acted promptly and has not sought to hide anything, it seems, so it would expect a substantial discount for good behaviour.

The original story in The Times is here but, again, is behind a paywall.

How to earn Avios from UK credit cards

How to earn Avios from UK credit cards (April 2024)

As a reminder, there are various ways of earning Avios points from UK credit cards.  Many cards also have generous sign-up bonuses!

In February 2022, Barclaycard launched two exciting new Barclaycard Avios Mastercard cards with a bonus of up to 25,000 Avios. You can apply here.

You qualify for the bonus on these cards even if you have a British Airways American Express card:

Barclaycard Avios Plus card

Barclaycard Avios Plus Mastercard

Get 25,000 Avios for signing up and an upgrade voucher at £10,000 Read our full review

Barclaycard Avios card

Barclaycard Avios Mastercard

5,000 Avios for signing up and an upgrade voucher at £20,000 Read our full review

There are two official British Airways American Express cards with attractive sign-up bonuses:

British Airways American Express Premium Plus

25,000 Avios and the famous annual 2-4-1 voucher Read our full review

British Airways American Express

5,000 Avios for signing up and an Economy 2-4-1 voucher for spending £15,000 Read our full review

You can also get generous sign-up bonuses by applying for American Express cards which earn Membership Rewards points. These points convert at 1:1 into Avios.

American Express Preferred Rewards Gold

Your best beginner’s card – 20,000 points, FREE for a year & four airport lounge passes Read our full review

The Platinum Card from American Express

40,000 bonus points and a huge range of valuable benefits – for a fee Read our full review

Run your own business?

We recommend Capital on Tap for limited companies. You earn 1 Avios per £1 which is impressive for a Visa card, along with a sign-up bonus worth 10,500 Avios.

SPECIAL OFFER: Until 12th May 2024, the Capital on Tap Business Rewards Visa card is offering a bonus of 30,000 points, convertible into 30,000 Avios. You must have a Limited Company to apply. Click here to learn more and click here to apply.

Capital on Tap Business Rewards Visa

Huge 30,000 points bonus until 12th May 2024 Read our full review

You should also consider the British Airways Accelerating Business credit card. This is open to sole traders as well as limited companies and has a 30,000 Avios sign-up bonus.

British Airways Accelerating Business American Express

30,000 Avios sign-up bonus – plus annual bonuses of up to 30,000 Avios Read our full review

There are also generous bonuses on the two American Express Business cards, with the points converting at 1:1 into Avios. These cards are open to sole traders as well as limited companies.

American Express Business Platinum

40,000 points sign-up bonus and an annual £200 Amex Travel credit Read our full review

American Express Business Gold

20,000 points sign-up bonus and FREE for a year Read our full review

Click here to read our detailed summary of all UK credit cards which earn Avios. This includes both personal and small business cards.

Category

British Airways and Avios

Comments (82)

This article is closed to new comments. Feel free to ask your question in the HfP forums.

  • Russ says:
    11 Sep11 September 08:07

    No need to get a third party involved, ideally claims should now be in. They that dawdle may end up with £25, another apology and a first edition signed print of Alex wearing his high viz jckt.

  • Mikeact says:
    11 Sep11 September 08:08

    I’m no security expert, just a regular man in the street. Apart from any hassle, then as long as I don’t give out any secure information I guess I will always be reimbursed for losses incurred, whether that is my bank, BA, M&S or any other card acceptor. Or am I wrong ?

  • Ian says:
    11 Sep11 September 08:31

    I’ve had the usual email from Amex but can’t otherwise claim I’ve been affected so far. In fact I’ve had the opposite problem: I’ve tried to store my card details on the BA website but once again, when I made a booking during this period, they didn’t have my details stored so I had to input them manually. Looks like that’s the way I’ll be doing it in future as long as they have their current antique payment system.

  • Pangolin says:
    11 Sep11 September 08:44

    The company behind ArcSight has been out of existence for 8 years (according to one of the ToL commenters), so I can’t imagine this software got many security updates!

    Also, if they failed the PCI Audit, how did their auditors E&Y sign them off?

    Seems like they hired this guy to check out their transaction processing setup and when he told them it was a heap of outdated and insecure junk they told him “Thanks very much but everything’s fine and we won’t be needing your services again.”

    • Thomas Howard says:
      11 Sep11 September 10:01

      When has an auditor *ever* risked its fee by refusing to sign off illegal or incompetent behaviour?

      • Lady London says:
        11 Sep11 September 11:35

        Erm…I thought the accounts of the European Union were being refused sign-off by their auditors for several years?

    • Genghis says:
      11 Sep11 September 11:45

      EY as stat auditors wouldn’t really give a monkeys. Backward looking and no misstatements in financial statements. Unlikely a going concern risk.

      • Sussex Bantam says:
        11 Sep11 September 12:00

        Exactly – I wish people understood properly the role of the auditor. This is from the definition by the FRC

        “The auditor’s objectives are to obtain reasonable assurance about whether the financial statements as a whole are free from material misstatement, whether due to fraud or error,”

        They simply aren’t there to judge “incompetent behaviour”

        • Genghis says:
          11 Sep11 September 12:28

          #expectationsgap 🙂

        • Thomas Howard says:
          11 Sep11 September 16:34

          Right, but they too often don’t even manage that and if you can’t identify high level incompetence how can you have any confidence in the figures? Surely ensuring compliance with ISO9001 and more specific systems like PCI should be part of your error detection.

          My experience with the big audit firms is that its a charade, they send in a 21 year old grad that frequently don’t know what to ask let alone how to comprehend the answer.

          • Rob says:
            11 Sep11 September 17:54

            That is, effectively, what the report into the failure of BHS said about the audit. The only senior person at KPMG involved spent a grand total of 2 hours on the audit, despite the precarious position of the company.

        • Sussex bantam says:
          11 Sep11 September 17:01

          They do audit the systems which are used to control the financial statements – my firm had an issue this year as our financial systems had been compromised by an ex employee and our audit was delayed as a result.

          PCI wouldn’t impact in the production of the financials so they wouldn’t audit it.

          The audit opinion is only ever on the financial reporting – it isn’t a comment on how well the company is run (or otherwise)

        • Crafty says:
          11 Sep11 September 22:42

          Moreover, PCI compliance is not a legal requirement. It’s a choice.

  • Ken Adcock says:
    11 Sep11 September 08:45

    This story is highly dubious IMHO. No security consultant worth his salt would bad mouth a client post engagement.
    If you read the full article he brags about flying first class..sounds more like a consultant self promotion.
    This was transaction based not data.
    Poor reporting if you ask me.

    • Sinagua says:
      11 Sep11 September 09:34

      I have in the past been accountable for PCI compliance at a global organisation.It is far from a tick box exercise and I’d be surprised if any organisation of the scale of BA could claim to be 100% compliant. That said I’d expect the basics around card data storage and the handling of card data at the point of entry and ongoing transit to the payment gateway to be buttoned down. As others have said it may be that some compromised code has been introduced to intercept the card data. We certainly put a lot of effort into making sure that no card data was stored even for a fraction of a second on our infrastructure. (Card data being entered into a secure frame directly onto the payment provider.)

  • Chris Baker says:
    11 Sep11 September 09:37

    We recently ran a small B&B and to take card payments we had to demonstrate that we were PCI compliant. Each year we had to renew our certificate and buy tokens which ensured that we only knew the last 4 digits of card numbers and yet could still charge cards for extras etc.
    It is laughable that a miniscule B&B has better card protection than a multi national company.

    • Thomas Howard says:
      11 Sep11 September 10:55

      Would the merchant provider rather lose the business of a £100k a year company or a £12bn revenue one?

  • Alex Sm says:
    11 Sep11 September 10:23

    You can access up to 2 articles per month for free if you just register on the Times website. No card needed!

    • Rob says:
      11 Sep11 September 10:51

      You are heavily spammed by them though!

      • Chris Palmer says:
        11 Sep11 September 16:52

        Best to create a few ghosting email addresses for such a purpose rather than clogging a genuine personal inbox.

    • Thomas Howard says:
      11 Sep11 September 11:52

      You can get a student subscription with no checks at £26 a year for four years. Tip found in Private Eye.

      • David says:
        11 Sep11 September 16:29

        Is there enough decent content to justify £26/year?
        I’d struggle to justify it to myself.

        The Boris piece (‘give him a go’) yesterday was proof it is not quality.

  • David says:
    11 Sep11 September 11:02

    Discount for ‘good behaviour’ is a bit of a joke. No wonder companies don’t invest in proper security and in this case one assumes, proper systems if the fine gets discounted because they tell the world quickly.

    A penalty should be based on the severity and impact of the issue and not be discounted because of a speedy report as that is what is required anyway.

    As for TV Licensing they would be better to add a few pence to income tax and scrap it and Capita. Save us all a lot in the end.

This article is closed to new comments. Feel free to ask your question in the HfP forums.

New to Head for Points?

Welcome!  We’re the UK’s most-read source of business travel, Avios, frequent flyer and hotel loyalty news. Let us improve how you travel. Got any questions? Ask them in our forums.

NEW: Sign-up bonuses boosted to 3,000 and 18,000 points

Latest Forum Posts

Get 40,000 bonus points (worth 40,000 Avios) and £300 dining credit with The Platinum Card

Check reward flight availability instantly for free!

See a whole year of reward seat availability on one page at SeatSpy.com

Get £10 when you spend £150 on your free Currensea card

Booking a luxury hotel?

Our luxury hotel booking service offers you GUARANTEED extra benefits over booking direct. Works with Four Seasons, Mandarin Oriental, The Ritz Carlton, St Regis and more. We've booked £1.7 million of rooms to date. Click for details.

SME? SPECIAL OFFER TO 12TH MAY EARN POINTS WORTH 30,000 AVIOS WITH CAPITAL ON TAP

Get 20,000 bonus points, four airport lounge passes and your first year free with American Express Gold

The UK's biggest frequent flyer website uses cookies, which you can block via your browser settings. Continuing implies your consent to this policy. Our privacy policy is here.

Got it!