British Airways discloses massive new credit card data breach on Avios redemptions

Links on Head for Points pay us an affiliate commission. A list of our partners is here.

The British Airways data breach saga, which first emerged in early September, has taken another painful turn for the airline.

British Airways disclosed on Thursday afternoon that a further 185,000 payment cards had potentially been compromised.

These cards had all been used to pay for Avios redemptions between 21st April and 28th July.

Only online bookings at ba.com were impacted.  Redemptions made via the British Airways app or call centre are safe.

Note that ALL forms of Avios redemption appear to be impacted.  You are included if you used Avios to part-pay for a car rental or hotel booking, according to BA.

It is important to note that this is 185,000 ADDITIONAL payment cards which are affected.  British Airways seems to have massaged the headline figure by stripping out cards which were also caught up in the first data breach.

The full statement is here.

British Airways Avios data breach

The latest disclosure is broken down as follows:

77,000 payment cards have had their name, billing address, email address, payment number, expiry and CVV potentially compromised

108,000 payment cards have been similarly compromised but without the CVV number

You will receive an email during Friday if you are impacted.  According to BA:

“While we do not have conclusive evidence that the data was removed from British Airways’ systems, we are taking a prudent approach in notifying potentially affected customers, advising them to contact their bank or card provider as a precaution.”

On the upside, further investigation by British Airways into the original data breach last month has found that ‘only’ 244,000 payment cards have been compromised compared with the 380,000 figure originally claimed.

And, of course, Cathay Pacific revealed on Thursday that a whopping 9.4m sets of personal records had been unlawfully accessed.  This includes credit card data.

In some ways, this breach could be worse for BA than the original.  185,000 people represents a high percentage of the active British Airways Executive Club base.  The original breach will have caught up a lot of ‘once a year’ flyers whilst this one will be impacting people like us who make up a disproportionate part of BA revenue.  Anyone who has already sat through the 2017 weekend IT failure and the recent failures of the new FLY check-in system will probably have had enough by now.

You can find the latest BA statement on this latest breach here.

PS.  Having now seen the British Airways email, the heading “Update on Theft of Customer Data” is hugely misleading in my opinion and may lead to the email being deleted unread

(Want to earn more Avios?  Click here to visit our home page for the latest articles on earning and spending your Avios points and click here to see how to earn more Avios from current offers and promotions.)

Credit & Charge Card Reviews (2): American Express Platinum charge card
See England v Japan rugby in VIP style with Marriott Rewards points - ends Friday
Click here to join the 13,000 people on our email list and receive the latest Avios, miles and points news by 6am.

IHG
Amazon ad
About Head for Points

We help business and leisure travellers maximise their Avios, frequent flyer miles and hotel loyalty points. Visit every day for three new articles or sign up for our FREE emails via this page or the box to your right.

Comments

  1. We live in a highly computerised world. Data breaches are a part of normal life (https://en.wikipedia.org/wiki/List_of_data_breaches) and will continue indefinitely across all industries. Rant about how poor company X’s security is (despite presumably actually knowing nothing whatsoever about it) all you want, it’s impossible to have impenetrable security. I know someone who infiltrated CIA systems while they were a teenager – absolutely nothing in this area is perfect. Which doesn’t mean I’m saying BA did enough to keep it secure, it means you couldn’t possibly know that.

    If this is a major problem for you I suggest you withdraw from this and go back to hard cash. Not convenient? That’s the price you pay.

    • Callum,

      As it is an ongoing criminal investigation I do not know with any certainty what methods the attackers used or the specific weaknesses in BA’s systems, but as part of my job I am well versed in some of the measures that well-managed businesses take to mitigate the risks of attacks. Analysts at RiskIQ and elsewhere suspect that the British Airways hackers likely used a “cross-site scripting” attack, in which bad actors identify a poorly secured web page component and inject their own code into it to alter a victim site’s behavior. The attack doesn’t necessarily involve penetrating an organization’s network or servers, which would explain how hackers only accessed information submitted during a very specific timeframe, and compromised data that British Airways itself doesn’t store. If true, this was not a sophisticated attack – it relies on a poorly secured web page that British Airways could have prevented with adequate procedures. Cross-site scripting attacks are not new and some of the biggest web giants have been attacked in this way (Including Twitter, Facebook and YouTube), it is the failure of BA to learn from these and appreciate its responsibility for the systems it operates that is worrying. Regular penetration testing should have picked up this vulnerability.

      As airlines are trusted with huge amounts of personal data, including payment card details,, national identity document details, visa details, travel plans etc, they owe a duty of care to customers in the handling of that data and should be held to a high standard of account. Asi Sinclair Barnes, strategic marketing director, airline, at Amadeus “I think it’s the duty of any organization who manages data to make sure that they have the highest level of security compliance and that they are supporting each other. It comes down to accountability of every single company.”

      I completely agree that cyber attacks are going to be an increasingly common feature of our lives but rather than go back to hard cash there should be a flight to well-managed businesses that invest in technology and whose leaders prioritize information security. Time and time again British Airways’ technology has been shown wanting; that is not a good sign for a business that relies so heavily on IT for it’s safe operation.

Please click here to read our data protection policy before submitting your comment.