Maximise your Avios, air miles and hotel points

British Airways discloses massive new credit card data breach covering Avios redemption flights

Links on Head for Points may support the site by paying a commission.  See here for all partner links.

The British Airways data breach saga, which first emerged in early September, has taken another painful turn for the airline.

British Airways disclosed on Thursday afternoon that a further 185,000 payment cards had potentially been compromised.

These cards had all been used to pay for Avios redemptions between 21st April and 28th July.

Only online bookings at were impacted.  Redemptions made via the British Airways app or call centre are safe.

Note that ALL forms of Avios redemption appear to be impacted.  You are included if you used Avios to part-pay for a car rental or hotel booking, according to BA.

It is important to note that this is 185,000 ADDITIONAL payment cards which are affected.  British Airways seems to have massaged the headline figure by stripping out cards which were also caught up in the first data breach.

The full statement is here.

The latest disclosure is broken down as follows:

77,000 payment cards have had their name, billing address, email address, payment number, expiry and CVV potentially compromised

108,000 payment cards have been similarly compromised but without the CVV number

You will receive an email during Friday if you are impacted.  According to BA:

“While we do not have conclusive evidence that the data was removed from British Airways’ systems, we are taking a prudent approach in notifying potentially affected customers, advising them to contact their bank or card provider as a precaution.”

On the upside, further investigation by British Airways into the original data breach last month has found that ‘only’ 244,000 payment cards have been compromised compared with the 380,000 figure originally claimed.

And, of course, Cathay Pacific revealed on Thursday that a whopping 9.4m sets of personal records had been unlawfully accessed.  This includes credit card data.

In some ways, this breach could be worse for BA than the original.  185,000 people represents a high percentage of the active British Airways Executive Club base.  The original breach will have caught up a lot of ‘once a year’ flyers whilst this one will be impacting people like us who make up a disproportionate part of BA revenue.  Anyone who has already sat through the 2017 weekend IT failure and the recent failures of the new FLY check-in system will probably have had enough by now.

You can find the latest BA statement on this latest breach here.

PS.  Having now seen the British Airways email, the heading “Update on Theft of Customer Data” is hugely misleading in my opinion and may lead to the email being deleted unread.

How to earn Avios from UK credit cards

How to earn Avios from UK credit cards (April 2024)

As a reminder, there are various ways of earning Avios points from UK credit cards.  Many cards also have generous sign-up bonuses!

In February 2022, Barclaycard launched two exciting new Barclaycard Avios Mastercard cards with a bonus of up to 25,000 Avios. You can apply here.

You qualify for the bonus on these cards even if you have a British Airways American Express card:

Barclaycard Avios Plus card

Barclaycard Avios Plus Mastercard

Get 25,000 Avios for signing up and an upgrade voucher at £10,000 Read our full review

Barclaycard Avios card

Barclaycard Avios Mastercard

5,000 Avios for signing up and an upgrade voucher at £20,000 Read our full review

There are two official British Airways American Express cards with attractive sign-up bonuses:

British Airways American Express Premium Plus

25,000 Avios and the famous annual 2-4-1 voucher Read our full review

British Airways American Express

5,000 Avios for signing up and an Economy 2-4-1 voucher for spending £15,000 Read our full review

You can also get generous sign-up bonuses by applying for American Express cards which earn Membership Rewards points. These points convert at 1:1 into Avios.

American Express Preferred Rewards Gold

Your best beginner’s card – 20,000 points, FREE for a year & four airport lounge passes Read our full review

The Platinum Card from American Express

40,000 bonus points and a huge range of valuable benefits – for a fee Read our full review

Run your own business?

We recommend Capital On Tap for limited companies. You earn 1 Avios per £1 which is impressive for a Visa card, along with a sign-up bonus worth 10,500 Avios.

Capital On Tap Business Rewards Visa

Get a 10,000 points bonus plus an extra 500 points for our readers Read our full review

You should also consider the British Airways Accelerating Business credit card. This is open to sole traders as well as limited companies and has a 30,000 Avios sign-up bonus.

British Airways Accelerating Business American Express

30,000 Avios sign-up bonus – plus annual bonuses of up to 30,000 Avios Read our full review

There are also generous bonuses on the two American Express Business cards, with the points converting at 1:1 into Avios. These cards are open to sole traders as well as limited companies.

American Express Business Platinum

40,000 points sign-up bonus and an annual £200 Amex Travel credit Read our full review

American Express Business Gold

20,000 points sign-up bonus and FREE for a year Read our full review

Click here to read our detailed summary of all UK credit cards which earn Avios. This includes both personal and small business cards.

Comments (251)

This article is closed to new comments. Feel free to ask your question in the HfP forums.

  • James says:

    I agree that the headline is incredibly misleading. I was not part of the original group but my data was part of this second wave. It is not until you get to the third paragraph of the email that you see the phrase “it is possible your personal data may have been compromised” loosely thrown in.

    I was particularly annoyed by the start of the paragraph that followed (“We are very sorry that this criminal activity has occurred.”) and by Cruz’s sign-off (“Once again, we truly apologise for any worry and inconvenience this criminal activity has caused”); British Airways’ failure to accept its own part in this mess is insulting. British Airways should instead be sorry that (a) British Airways did not have an adequate IT security policy; (b) British Airways did not have adequate third party vendor review processes; (c) British Airways did not have adequate systems and procedures in place or sufficient management oversight to detect weaknesses in its security sooner; and (d) British Airways’ leadership has not sufficiently emphasized the importance of data security to create a culture which values customers and their data such that the risks were better mitigated.

    That the latest news, which highlights the impact of his leadership decisions on BA’s most loyal customers (again), should serve to remind the board of Cruz’s complete disregard for the long-term brand value and prospects of the company and should lead them to question – yet again – whether his time is up.

    • Ian M says:

      Couldn’t agree more

    • Alan says:

      Totally agree.

    • Callum says:

      It shouldn’t given, as has been shown time and time and time again, the people incessantly whining about Cruz aren’t particularly representative of BAs customer base.

      People have been whining about the damage caused to BA by X, Y and Z for years and years on this site, yet year by year, passenger numbers increase and profit increases.

      • James says:

        I might not be representative of their customer base across the board, but I do fly in CW or F from London to New York at least twice a month, which means that I (and I suspect many other readers of this website who incessantly whine) contribute disproportionately to the profitable part of their operations. I have put up with BA’s lack of investment in its seats and service for a long time because I am so invested in BAEC, but with each problem my loyalty is slowly eroded. Last quarter I started taking every other flight with Delta/Virgin and suspect I will gradually shift my loyalty entirely. What you fail to realize is that BA’s most (and possibly only) profitable customers notice each and every one of the “X, Y and Z” issues and while each one may not be enough to cause them to move allegiance, cumulatively the damage could be catastrophic. Cruz’s mistaken focus means that short term profit growth to placate short term investors could result in the long term dissolution of BA’s profitable loyal customers. Loyalty is hard-won and easily lost.

        • Callum says:

          I don’t care what your travel patterns are, your attitude is what isn’t representative. Every single time someone like you pops up to say “this might not make a difference but it will add up and that will eventually” yet that time never comes.

          You also don’t have the slightest idea what Cruz does, so I have no idea why you feel you are more informed about his performance than his bosses are. How arrogant can you get!

  • Swiss SKI says:

    OT: I got a 25GBP off code for Swiss at the London Ski Festival: swissukski25

    UK to GVA/ZRH
    Book by 31/1/19
    Travel by 31/3/19

    Tested and working, random LHR-GVA return with luggage in Feb was GBP74 with voucher

  • Callum says:

    We live in a highly computerised world. Data breaches are a part of normal life ( and will continue indefinitely across all industries. Rant about how poor company X’s security is (despite presumably actually knowing nothing whatsoever about it) all you want, it’s impossible to have impenetrable security. I know someone who infiltrated CIA systems while they were a teenager – absolutely nothing in this area is perfect. Which doesn’t mean I’m saying BA did enough to keep it secure, it means you couldn’t possibly know that.

    If this is a major problem for you I suggest you withdraw from this and go back to hard cash. Not convenient? That’s the price you pay.

    • James says:


      As it is an ongoing criminal investigation I do not know with any certainty what methods the attackers used or the specific weaknesses in BA’s systems, but as part of my job I am well versed in some of the measures that well-managed businesses take to mitigate the risks of attacks. Analysts at RiskIQ and elsewhere suspect that the British Airways hackers likely used a “cross-site scripting” attack, in which bad actors identify a poorly secured web page component and inject their own code into it to alter a victim site’s behavior. The attack doesn’t necessarily involve penetrating an organization’s network or servers, which would explain how hackers only accessed information submitted during a very specific timeframe, and compromised data that British Airways itself doesn’t store. If true, this was not a sophisticated attack – it relies on a poorly secured web page that British Airways could have prevented with adequate procedures. Cross-site scripting attacks are not new and some of the biggest web giants have been attacked in this way (Including Twitter, Facebook and YouTube), it is the failure of BA to learn from these and appreciate its responsibility for the systems it operates that is worrying. Regular penetration testing should have picked up this vulnerability.

      As airlines are trusted with huge amounts of personal data, including payment card details,, national identity document details, visa details, travel plans etc, they owe a duty of care to customers in the handling of that data and should be held to a high standard of account. Asi Sinclair Barnes, strategic marketing director, airline, at Amadeus “I think it’s the duty of any organization who manages data to make sure that they have the highest level of security compliance and that they are supporting each other. It comes down to accountability of every single company.”

      I completely agree that cyber attacks are going to be an increasingly common feature of our lives but rather than go back to hard cash there should be a flight to well-managed businesses that invest in technology and whose leaders prioritize information security. Time and time again British Airways’ technology has been shown wanting; that is not a good sign for a business that relies so heavily on IT for it’s safe operation.

This article is closed to new comments. Feel free to ask your question in the HfP forums.

The UK's biggest frequent flyer website uses cookies, which you can block via your browser settings. Continuing implies your consent to this policy. Our privacy policy is here.