Maximise your Avios, air miles and hotel points

British Airways discloses massive new credit card data breach covering Avios redemption flights

Links on Head for Points may support the site by paying a commission.  See here for all partner links.

The British Airways data breach saga, which first emerged in early September, has taken another painful turn for the airline.

British Airways disclosed on Thursday afternoon that a further 185,000 payment cards had potentially been compromised.

These cards had all been used to pay for Avios redemptions between 21st April and 28th July.

Only online bookings at ba.com were impacted.  Redemptions made via the British Airways app or call centre are safe.

Note that ALL forms of Avios redemption appear to be impacted.  You are included if you used Avios to part-pay for a car rental or hotel booking, according to BA.

It is important to note that this is 185,000 ADDITIONAL payment cards which are affected.  British Airways seems to have massaged the headline figure by stripping out cards which were also caught up in the first data breach.

The full statement is here.

The latest disclosure is broken down as follows:

77,000 payment cards have had their name, billing address, email address, payment number, expiry and CVV potentially compromised

108,000 payment cards have been similarly compromised but without the CVV number

You will receive an email during Friday if you are impacted.  According to BA:

“While we do not have conclusive evidence that the data was removed from British Airways’ systems, we are taking a prudent approach in notifying potentially affected customers, advising them to contact their bank or card provider as a precaution.”

On the upside, further investigation by British Airways into the original data breach last month has found that ‘only’ 244,000 payment cards have been compromised compared with the 380,000 figure originally claimed.

And, of course, Cathay Pacific revealed on Thursday that a whopping 9.4m sets of personal records had been unlawfully accessed.  This includes credit card data.

In some ways, this breach could be worse for BA than the original.  185,000 people represents a high percentage of the active British Airways Executive Club base.  The original breach will have caught up a lot of ‘once a year’ flyers whilst this one will be impacting people like us who make up a disproportionate part of BA revenue.  Anyone who has already sat through the 2017 weekend IT failure and the recent failures of the new FLY check-in system will probably have had enough by now.

You can find the latest BA statement on this latest breach here.

PS.  Having now seen the British Airways email, the heading “Update on Theft of Customer Data” is hugely misleading in my opinion and may lead to the email being deleted unread.

How to earn Avios from UK credit cards

How to earn Avios from UK credit cards (April 2024)

As a reminder, there are various ways of earning Avios points from UK credit cards.  Many cards also have generous sign-up bonuses!

In February 2022, Barclaycard launched two exciting new Barclaycard Avios Mastercard cards with a bonus of up to 25,000 Avios. You can apply here.

You qualify for the bonus on these cards even if you have a British Airways American Express card:

Barclaycard Avios Plus card

Barclaycard Avios Plus Mastercard

Get 25,000 Avios for signing up and an upgrade voucher at £10,000 Read our full review

Barclaycard Avios card

Barclaycard Avios Mastercard

5,000 Avios for signing up and an upgrade voucher at £20,000 Read our full review

There are two official British Airways American Express cards with attractive sign-up bonuses:

British Airways American Express Premium Plus

25,000 Avios and the famous annual 2-4-1 voucher Read our full review

British Airways American Express

5,000 Avios for signing up and an Economy 2-4-1 voucher for spending £15,000 Read our full review

You can also get generous sign-up bonuses by applying for American Express cards which earn Membership Rewards points. These points convert at 1:1 into Avios.

American Express Preferred Rewards Gold

Your best beginner’s card – 20,000 points, FREE for a year & four airport lounge passes Read our full review

The Platinum Card from American Express

40,000 bonus points and a huge range of valuable benefits – for a fee Read our full review

Run your own business?

We recommend Capital on Tap for limited companies. You earn 1 Avios per £1 which is impressive for a Visa card, along with a sign-up bonus worth 10,500 Avios.

SPECIAL OFFER: Until 12th May 2024, the Capital on Tap Business Rewards Visa card is offering a bonus of 30,000 points, convertible into 30,000 Avios. You must have a Limited Company to apply. Click here to learn more and click here to apply.

Capital on Tap Business Rewards Visa

Huge 30,000 points bonus until 12th May 2024 Read our full review

You should also consider the British Airways Accelerating Business credit card. This is open to sole traders as well as limited companies and has a 30,000 Avios sign-up bonus.

British Airways Accelerating Business American Express

30,000 Avios sign-up bonus – plus annual bonuses of up to 30,000 Avios Read our full review

There are also generous bonuses on the two American Express Business cards, with the points converting at 1:1 into Avios. These cards are open to sole traders as well as limited companies.

American Express Business Platinum

40,000 points sign-up bonus and an annual £200 Amex Travel credit Read our full review

American Express Business Gold

20,000 points sign-up bonus and FREE for a year Read our full review

Click here to read our detailed summary of all UK credit cards which earn Avios. This includes both personal and small business cards.

Category

British Airways and Avios

Comments (251)

This article is closed to new comments. Feel free to ask your question in the HfP forums.

  • C says:
    26 Oct26 October 08:30

    Hmm. I received an e-mail from AmEx, nothing from BA – despite booking a Cathay redemption in May via the BA site. Perhaps that’s safe, perhaps BA will get around to it today.

    I feel like i might as well put a photo of my card up on Twitter at this point.

    • Mark says:
      26 Oct26 October 09:57

      I think the Amex email is more generic. I received an email from them when the original breach was announced, even though I wasn’t caught up in that one.

  • Mike L says:
    26 Oct26 October 08:40

    I booked in May but it was via BA the call centre as it was an open jaw. I’ve received the email from Amex but so far, nothing from BA – looks like my call centre booking has saved me from any potential grief.

  • Rebecca says:
    26 Oct26 October 08:48

    I’ve received a letter from Lloyds saying there has been fraud on my Avios credit cards. Apparently they have blocked them and are sending replacement cards. Could this be linked?

  • Andrew says:
    26 Oct26 October 08:52

    The data harvested is going to be laundered over and over again.

    At the moment, I’m trying to get to the bottom of a data selling scam led by Equiniti PLC. They sold a marketing package to a FTSE 100 company (I’ve been engaging with that Company Secretary,they are victims of the scam and have black-listed Equiniti), the underlying data that they sold had been harvested from 6 further companies. That data was nothing but a sham with no provenance.

    Of those 6 companies…

    Tracesmart Limited, an FCA regulated company and part of RELX Plc, has refused to engage with the Ombudsman – claiming that as I’m not their direct customer (Equiniti is), that it’s nothing to do with them.

    Quinn Data – Expects me to send a copy of my Passport, Drivers Licence and Bank Account details to a PO Box in the Phillipines.

    Two are refusing to respond to emails or letters asking for details

    One bought the data from a non-trading company two years ago

    Last one bought the data from a further company (who refuse to respond to emails or letters) and were bulk spamming me with malicious emails promoting funeral plans after I complained.

    The joys of GDPR

    • Simon says:
      26 Oct26 October 09:19

      Good luck. I recall that the Scottish ICO case that followed spamming of people during the Scottish referendum managed to trace back where the list of mobile numbers they had used originated from. Lots of data selling and re-selling, and I’m sure there was a tranche of numbers which had been harvested from entry forms for a competition run by one of the budget airlines a few years before the referendum.

  • AndyW says:
    26 Oct26 October 09:03

    Managed to avoid the last one but have been caught up in this. Email from Amex before BA which as people have said looks pretty poor on BA’s part.

    • Pr99 says:
      26 Oct26 October 09:20

      I got the email from Amex but had no transactions with BA during the period so they could just be writing to all BA cardholders.

      • Alex Sm says:
        26 Oct26 October 09:44

        I also got that one but it sounded like a mass mailing and a pure precaution

        • ANDREW M says:
          26 Oct26 October 14:07

          Yep I received an Amex email as well although I do not have a BA Amex only the Lloyds and a Nectar Amex …

    • Tom says:
      26 Oct26 October 16:25

      Amusingly, at the bottom of the BA page this appears:

      “Will I be liable for any fraudulent activity?
      American Express Cardmembers are not liable for any fraudulent charges on their credit cards.”

      What about people paying on a non-AMEX card? It looks suspiciously like this language could have been copied from somewhere.

      • Shoestring says:
        26 Oct26 October 16:30

        In a way, this might end up being a get-out-of-jail card for some silly sausage old age pensioners.

        You know: the ones who fall for the phone scam & give away their card details.

        They could end up lucky & get scammed out of their life savings on the same card BA messed up with on the data breach…

  • Dave says:
    26 Oct26 October 09:12

    Rob, you said in an earlier comment “BA makes it quite clear in its email that there hasn’t been a single case of fraud resulting from the sale of your card details on the dark web”
    They don’t do that in my email, are they maybe sending out different ones? No mention in the email I got below, given that I had some fraudulent activity a couple of months ago I’m suspicious that BA are correct if they do assert that.

    “Since then we’ve been conducting a thorough investigation with specialist cyber forensic investigators, liaising with the National Crime Agency. As a result of the investigation I am writing to let you know that you may have been affected by the data theft, when you made a reward booking between 21 April and 28 July 2018.

    While we do not have conclusive evidence that the data was removed from British Airways’ systems, it is possible your personal data may have been compromised. This includes your full name, billing address, email address and payment card details. Your CVV number has remained confidential. As a precaution we recommend you contact your bank or card provider and follow their advice.

    We are very sorry that this criminal activity has occurred. We’ll reimburse our customers who have suffered financial losses as a direct result of the theft of their payment card details.”

  • Joel M says:
    26 Oct26 October 09:16

    To make it even worse, I received an email from Amex (as a BA Amex cardholder) at 1830 last night about the steps they are taking to protect their customers but didn’t receive the ‘update’ email from BA until over 2 hours later. What are the chances BA is going to be forced / choose to compensate affected customers? I’ve seen a US-style class action lawsuit proposed (they’ve even scooped an appropriately named badatabreach dot com website) – any thoughts on likelihood of success in the UK legal system or otherwise whether it’s worth signing up for?

    • Pr99 says:
      26 Oct26 October 09:24

      I had the email from Amex but none from BA and had no transactions in the period so I assume Amex is writing to all BA cardholders. As far as I know no other banks are contacting customers and some purchases have to be with non Amex cards.

    • Crafty says:
      26 Oct26 October 10:22

      I received the email from Amex only. As it referred to a BA data breach “update”, I assumed it was Amex proactively updating me on progress regarding the original breach. Seemed like an odd email. I only knew that BA had fucked up again when I happened to visit HFP!

  • Phil Duncan says:
    26 Oct26 October 09:17

    Once again BA have sent out a mewling and puking email stating that they are the victims of criminal activity in this hack. They may be but they have also been negligent and failed to maintain secure data systems for which they and only they are responsible.

    TIme for heads to roll.

This article is closed to new comments. Feel free to ask your question in the HfP forums.

New to Head for Points?

Welcome!  We’re the UK’s most-read source of business travel, Avios, frequent flyer and hotel loyalty news. Let us improve how you travel. Got any questions? Ask them in our forums.

Latest Forum Posts

Get 40,000 bonus points (worth 40,000 Avios) and £300 dining credit with The Platinum Card

Check reward flight availability instantly for free!

See a whole year of reward seat availability on one page at SeatSpy.com

Get £10 when you spend £150 on your free Currensea card

Booking a luxury hotel?

Our luxury hotel booking service offers you GUARANTEED extra benefits over booking direct. Works with Four Seasons, Mandarin Oriental, The Ritz Carlton, St Regis and more. We've booked £1.7 million of rooms to date. Click for details.

SME? EARN POINTS WORTH 10,500 AVIOS WITH CAPITAL ON TAP

Get 20,000 bonus points, four airport lounge passes and your first year free with American Express Gold

The UK's biggest frequent flyer website uses cookies, which you can block via your browser settings. Continuing implies your consent to this policy. Our privacy policy is here.

Got it!