BA Sale

British Airways discloses massive new credit card data breach on Avios redemptions

Links on Head for Points may pay us an affiliate commission. A list of partners is here.

The British Airways data breach saga, which first emerged in early September, has taken another painful turn for the airline.

British Airways disclosed on Thursday afternoon that a further 185,000 payment cards had potentially been compromised.

These cards had all been used to pay for Avios redemptions between 21st April and 28th July.

Only online bookings at were impacted.  Redemptions made via the British Airways app or call centre are safe.

Note that ALL forms of Avios redemption appear to be impacted.  You are included if you used Avios to part-pay for a car rental or hotel booking, according to BA.

It is important to note that this is 185,000 ADDITIONAL payment cards which are affected.  British Airways seems to have massaged the headline figure by stripping out cards which were also caught up in the first data breach.

The full statement is here.

British Airways Avios data breach

The latest disclosure is broken down as follows:

77,000 payment cards have had their name, billing address, email address, payment number, expiry and CVV potentially compromised

108,000 payment cards have been similarly compromised but without the CVV number

You will receive an email during Friday if you are impacted.  According to BA:

“While we do not have conclusive evidence that the data was removed from British Airways’ systems, we are taking a prudent approach in notifying potentially affected customers, advising them to contact their bank or card provider as a precaution.”

On the upside, further investigation by British Airways into the original data breach last month has found that ‘only’ 244,000 payment cards have been compromised compared with the 380,000 figure originally claimed.

And, of course, Cathay Pacific revealed on Thursday that a whopping 9.4m sets of personal records had been unlawfully accessed.  This includes credit card data.

In some ways, this breach could be worse for BA than the original.  185,000 people represents a high percentage of the active British Airways Executive Club base.  The original breach will have caught up a lot of ‘once a year’ flyers whilst this one will be impacting people like us who make up a disproportionate part of BA revenue.  Anyone who has already sat through the 2017 weekend IT failure and the recent failures of the new FLY check-in system will probably have had enough by now.

You can find the latest BA statement on this latest breach here.

PS.  Having now seen the British Airways email, the heading “Update on Theft of Customer Data” is hugely misleading in my opinion and may lead to the email being deleted unread

(Want to earn more Avios?  Click here to visit our home page for the latest articles on earning and spending your Avios points and click here to see how to earn more Avios from current offers and promotions.)

Credit & Charge Card Reviews (2): American Express Platinum charge card
See England v Japan rugby in VIP style with Marriott Rewards points - ends Friday
Click here to join the 14,000 people on our email list and receive the latest Avios, miles and points news by 6am.

BA Sale
Amazon ad
About Head for Points

We help business and leisure travellers maximise their Avios, frequent flyer miles and hotel loyalty points. Visit every day for three new articles or sign up for our FREE emails via this page or the box to your right.


  1. mundo perdito says:

    I got the BA craftily worded email which, buried in the copy did say I had bought one redemption ticket which could put all my Amex details at risk. It was only when Amex emailed my that I realised this is a NEW alert, not just more info.

    So the real jewel in the crown is when you wish to avail of BA’s ‘generous’ offer to have 12 months free subscription to Experian ProtectMyID. It’s only partially free and they take your CC details in order to do an autorenew when your ‘free’ period is over.

  2. I got this second email, not the one last time.
    The only flight I booked with BA this year was a redemption flight.
    Their email is absolutely useless, they could have at least included the card that got compromised. After looking for the confirmation, it turns out I paid via PayPal, which mean they cant have my card after all – crucial information they are withholding in their email.
    They really deserve a massive fine just for how that email is written and how useless and generic the content is!

    • Anthony says:

      I agree with every word. Took me ages to find which bookings could have been affected and quite by chance I used PayPal on the only avios reception I made during that period.

      So the email BA have sent out is not only unhelpful, it is actually downright misleading.

  3. Shoestring says:

    O/T I’m afraid I just did a Genghis rational choice on the site that cannot be named.

    I normally like to get ‘free’ Avios even though I know the argument about cash being better when it’s only 1.05p/ point.

    But these days they’re running 8% bonus on prepaid Mastercard, which sort of swung it vs a mere 5% bonus (premium member) & ‘free’ reward flights/ Avios.

    You just have to remember to spend it. Easily done – comes through next day in your email a/c and you can use it all up immediately eg on your BT bill.

    • Shoestring says:

      Sorry. checking the math, something like 0.95p/ point.

    • Genghis says:

      Just occasionally, cash is king. Although this is head for points, the points don’t operate in a vacuum so need to be compared to the “real world”. Not used the prepaid cards yet. Not had any reasonable cash back for a while and (my main earner) cannot be converted to the wallet. Let us know how you get on

      • Shoestring says:

        I didn’t have a choice last week & tried it for the first time (no other payout options allowed that time). It was 100% hassle free, as it happens I just put £200 of credit on my son’s school lunch account with Wisepay but it could equally have been BT bill – Wisepay only took round £50s so I used the change on BT.

        I realised the only way you lose is by keeping your money on the virtual card and forgetting about it/ forgetting access details, so made sure to use it all up straight away.

  4. Shoestring says:

    O/T reminder that Nectar Swipe & Win is back on @Sainsbury, today & the weekend. This guy did OK: [‘2 X 2000, 2 X 1000, 2 X 500 AND 1 X 200 for filling up the first car’] – assuming a £70 fill up (ie 7x £10 seems logical), that’d be quite a good bit of change!

    Points are valued between 0.5p and 1p depending on whether you’re happy to shop at Sainsbury! So he got back £31-£62 in points!

    • Surprised this was not on Shopperpoints today. Did not do so well this year, 3×500 and 1×200 on £40. Heading to the hills tomorrow so hopefully do better on refills on Sunday.

      Reminder: There is 1000 nectar points each on LNER and Virgin Trains for those who received the offer.

    • 5600 total in just over £100. Dont forget you have to shop to redeem this time and the self service tills didn’t like same day vouchers. It took a while but 25% discount which I can hopefully double up will be a good return.

  5. I have just made a complaint on their website as I have been affected by this, I would urge others to also make a complaint on the link below to the BA website to put more pressure on BA.

    I am fuming that my information has been put at risk.

  6. Double whammy for me with two different amex cards. Not happy that my personal details have been obtained.

  7. I´m not sure why everyone makes a big fuss about this. It´s so easy to cancel and get a new card – its not like sensitive/important information.

    • People are concerned not only about the card but now someone with ill intent may know when you’re abroad.

      • They don´t know that. Anyway there are easier ways to know whether you are at home or not. 🙂

        • Brian W says:

          They didn’t know where my home was until BA let them find out!

        • Are you certain about that Brain W?

        • Why do you think anyone wants to know where you live? Seems like a lot of unnecessary hassle when if they wanted to steal stuff they could just go to any house.

    • I have a number of HFP services charged directly to a credit card and when it expired recently it was a major pain to change it all over.

      • AFAIK this has nothing to do with this. Your cards just expired 😉 A llorar al barranco!

    • Brian W says:

      My name, address, post code and email address are important, especially when used together.

      Can I cancel them easily and get new ones? Nope, didn’t think so………..stupid comment.

      • If you are so concerned. Quit Amex, or whichever card you used.

        • Brian W says:

          What’s Amex got to do with my name, address and email being stolen? They remain the same regardless of any credit card I hold. This data can be used in the future for many things despite my Amex being cancelled or number changed.

          I had fraudulent charges on my BAPP in September when the first breach was announced and my card was cancelled and charges removed easily. Process was simple and what many of us have come to expect of Amex. I’ve had the second email too which I know relates to my Platinum. Fraudulent transactions on a card are not the worry, especially if its an Amex card.

          BA allowed other personal data to be harvested as well. You don’t seem to be capable of grasping this. If I ‘quit’ Amex, as you suggest, are BA or Amex going to foot the bill for me to move address and have my name changed?

          Your comment is stupid marcw

        • Or quit money, and rely on a barter economy instead. Theft of personal data is less of an issue if you just pay floor your flights in bacon and wheat.

        • No one really gives a f*ck where you live. The hackers only care about money. So does IAG: “where´s the f*cking money!”

        • Brian W says:

          The ones that walk into UK retailers such as Burton, Topshop, Dorothy Perkins where they offer a discount on goods if you take out their store card at the till, they care.

          The poor sods that then end up with the bill for they goods they walked out with and end up with the bill a few weeks down the line, they also care.

          Have a search online marcw, you can apply for a lot online with just a name and address and that then leads to the money you you’re on about.

          Happy to agree about IHG though.

        • You do realise name and address are fairly public? Everyone used to have it published in a big book distributed to all for free!

          Most people will also be on the open electoral register with their name and address available for anyone to just walk in and view.

          You’re being hysterical.

    • Not the sharpest spoon in the knife drawer, are you? Do you know what identity fraud is?

    • Lady London says:

      And your name, date of birth, address, past spending on flights etc will all be changed by getting a new card? That information can all be used for frauds that have nothing to do with cards.

      The problem is under English law you actually have to prove a loss or injury was caused by a specific thing such as British Airways’s lack of care. Once your personal data is left able to be accessed by, say, British Airways, it can easily be another 18 months or even much longer and it could still be being used for fraud. Depending on the fraud it may be very hard for youbto prove it was a direct consequence of the negligence of say, this particular negligence or whatever it was that happened on this incident at British Airways. Maybe a monster fine is the only way of society charging British Airways for this. Since all the incidents of loss caused by this are mostly likely to be impossible to trace back.

      A very long time ago when my cash machine card was stolen my bank told me attempts were still being made to use it 18 months to 2 years later. How much easier it must be to just use someone’s personal data now and keep using it. That is why this matters.

    • Clearly someone totally clueless about identity fraud and how fraudsters work. 🙂

  8. My spend was on my IHG card – received an email and text from Creation today confirming they were aware of the breach and monitoring things, no specific action required at present.

    • Shoestring says:

      A lot of hackers do it for the hell of it. I’m hoping so in this case, ie nobody has actually lost any money through the hack yet (or so we are told). And we’re not actually being advised to change all our passwords just yet.

      Tried one of my regular passwords in that you’ve been pawned site and so far so good (yep I know my password policy is poor, thanks, no need to bash me on the head)

    • Ditto, buit after I cancelled my current IHG card and got it replaced, as suggested by the person I spoke with at Creation yesterday. Personally I feel more comfortable doing that anyway.

  9. KelvinB says:

    Seemingly I meet the criteria but I have heard nothing from BA – how can I be certain I am unaffected? Surely they would know when I booked my reward flight and should email me to confirm I’m not affected – no news is not necessarily good news!

  10. Why is it only reward transactions which were compromised? I would have thought the system for card payments would be the same regardless of whether you were using avios or just money.

    • RussellH says:

      I would guess that BA use a separate part of their system for rewards transactions.

      I have experienced significant differences in the behaviour of transactions when buying investment funds for cash cf. for ‘loyalty bonuses’. Even though the actual screens looked identical, the software underneath behaved quite differently.

  11. Really really poor from BA! I’ve just read this and realised I saw an email on Thursday evening which I deleted. The title as you say was “Update on Theft of Customer Data”. I deleted without reading as I knew I wasn’t effected by the data breach. I’ve just gone into my deleted folder and pulled it out. BA have clearly deliberately used that subject of the email to go under the radar. How low can they go!?!

Please click here to read our data protection policy before submitting your comment.