Maximise your Avios, air miles and hotel points

Avios theft – hackers cancel your redemptions to boost their haul and BA won’t reinstate

Links on Head for Points may support the site by paying a commission.  See here for all partner links.

Two weeks ago we wrote about the experience Rhys had when a hacker got into his brother’s Avios account, which was part of a family account including Rhys, and drained over 500,000 Avios from family members.

British Airways reinstated the Avios and all was good.

If you thought this meant that you could rest easily about Avios security, because BA will see you right, I’ve got some bad news.

It appears that the people who hack into Avios accounts are smarter than you think.

I have heard multiple reports of hackers checking the account to see if any unflown Avios reward bookings are in place.

If the hackers find reward flights, they cancel them.

Why? It’s simple. British Airways returns the Avios to your account immediately. The hacker now has a larger pot of Avios to steal.

Now, as Rhys found out, British Airways will return the stolen Avios to your hacked account. It doesn’t have to and you should be grateful that it offers this as a goodwill gesture.

However, it appears that British Airways will NOT reinstate Avios bookings which have been cancelled.

You will, for clarity, get the Avios from those bookings returned to you. Unfortunately this isn’t much help if you had made a redemption many months ago and have little chance of finding replacement seats.

To quote one of the comments to our original article:

One of the most worrying things I saw on a Facebook group was how a few accounts have been hacked and their existing reward flights cancelled to obtain more points to withdraw fraudulently.

BA refused to reinstate the flights once the Avios were returned, as presumably the reward availability was no longer there. This devastated one couples holiday which from memory was roughly 10 days away from when the account was hacked.

In response to this another HfP reader wrote:

Yes, my colleague had this. Luckily their flights were reinstated as there was availability, but he was told otherwise it would be a no.

So …. don’t let the knowledge that British Airways will reimburse your stolen Avios stop you from beefing up your account security.

Whilst your Avios will be returned, you are still at risk of losing any redemption flights on your account.

PS. It’s worth noting that, for household account members, a flight can only be cancelled by the original booker. No-one else in a household account, or any other passenger on the ticket, can initiate a cancellation. This gives you a little more protection.

If you are the only person who ever books from your household account, your existing bookings are not at risk if another member is hacked. This was good news for Rhys, since he was two weeks away from heading off to New Zealand with three family members when his brother had his account compromised.

PS. If you are not a regular Head for Points visitor, why not sign up for our FREE weekly or daily newsletters? They are full of the latest Avios, airline, hotel and credit card points news and will help you travel better. To join our 65,000 free subscribers, click the button below or visit this page of the site to find out more. Thank you.

How to earn Avios from UK credit cards

How to earn Avios from UK credit cards (April 2025)

As a reminder, there are various ways of earning Avios points from UK credit cards.  Many cards also have generous sign-up bonuses!

In February 2022, Barclaycard launched two exciting new Barclaycard Avios Mastercard cards with a bonus of up to 25,000 Avios. You can apply here.

You qualify for the bonus on these cards even if you have a British Airways American Express card:

Barclaycard Avios Plus card

Barclaycard Avios Plus Mastercard

Get 25,000 Avios for signing up and an upgrade voucher at £10,000 Read our full review

Barclaycard Avios card

Barclaycard Avios Mastercard

Get 5,000 Avios for signing up and an upgrade voucher at £20,000 Read our full review

There are two official British Airways American Express cards with attractive sign-up bonuses:

British Airways American Express Premium Plus

30,000 Avios and the famous annual 2-4-1 voucher Read our full review

British Airways American Express

5,000 Avios for signing up and an Economy 2-4-1 voucher for spending £15,000 Read our full review

You can also get generous sign-up bonuses by applying for American Express cards which earn Membership Rewards points. These points convert at 1:1 into Avios.

SPECIAL OFFER: Until 27th May 2025, the sign-up bonus on the ‘free for a year’ American Express Preferred Rewards Gold card is increased from 20,000 Membership Rewards points to 30,000 points. Points convert 1:1 into Avios (30,000 Avios!) and many other programmes. Some people may see even higher personalised offers. Click here to apply.

SPECIAL OFFER: Until 27th May 2025, the sign-up bonus on American Express Platinum is increased from 50,000 Membership Rewards points to a huge 80,000 points. Points convert 1:1 into Avios (80,000 Avios!) and many other programmes. Some people may see even higher personalised offers. Click here to apply.

American Express Preferred Rewards Gold

Your best beginner’s card – 30,000 points, FREE for a year & four airport lounge passes Read our full review

The Platinum Card from American Express

80,000 bonus points and great travel benefits – for a large fee Read our full review

Run your own business?

We recommend Capital on Tap for limited companies. You earn 1 Avios per £1 which is impressive for a Visa card, and the standard card is FREE. Capital on Tap cards also have no FX fees.

Capital on Tap Visa

NO annual fee, NO FX fees and points worth 1 Avios per £1 Read our full review

Capital on Tap Pro Visa

10,500 points (=10,500 Avios) plus good benefits Read our full review

There is also a British Airways American Express card for small businesses:

British Airways American Express Accelerating Business

30,000 Avios sign-up bonus – plus annual bonuses of up to 30,000 Avios Read our full review

There are also generous bonuses on the two American Express Business cards, with the points converting at 1:1 into Avios. These cards are open to sole traders as well as limited companies.

American Express Business Platinum

50,000 points when you sign-up and an annual £200 Amex Travel credit Read our full review

American Express Business Gold

20,000 points sign-up bonus and FREE for a year Read our full review

Click here to read our detailed summary of all UK credit cards which earn Avios. This includes both personal and small business cards.

Category

British Airways and Avios

Comments (185)

This article is closed to new comments. Feel free to ask your question in the HfP forums.

  • John says:
    21 Feb21 February 06:47

    I remember some time back Rob mentioning a revolution in 2024 of BAs apps and websites because of billions in investment. It’s worse than ever. Thank outsourcing for that !

    • boardingcalls says:
      21 Feb21 February 07:40

      I don’t think it’s outsourcing to thank for, it’s a question of how much they are paying and what for, and I suspect they push their IT providers down in cost big time. It cannot be that heard to implement proper 2FA, since almost every other organisation has already done it.

  • samw says:
    21 Feb21 February 06:59

    “A goodwill gesture” to return points that are stolen by hackers because of BA’s poor IT??? This statement beggars belief.

    • NorthernLass says:
      21 Feb21 February 08:41

      The avios belong to BA, so technically they are being “stolen” from BA, not the account holder. This is clear in the Ts and Cs, and does make collecting avios a slightly risky operation!

      • meta says:
        21 Feb21 February 10:18

        This is yet to be tested in court and BA will not want to test in court so you’re likely to get good settlement.

  • MCRguy says:
    21 Feb21 February 07:24

    HfP really needs to arrange an interview with BA IT to raise these concerns and get answers for the poor security, poor implementation of 2FA eg unable to update mobile amongst other things. They need to be held to task. They’re dealing with peoples hard work in earning Avios, involving spending considerable sums of money as well as peoples future flight bookings which could be lost at any moment to hackers it seems!

  • Henry says:
    21 Feb21 February 07:32

    How do you actually turn on 2fa for BA. I see no evidence that I have it and no way to enable it in the account settings.

    • supergraeme says:
      21 Feb21 February 07:34

      I came to ask the same thing!

    • Carole Crookes says:
      21 Feb21 February 07:49

      I was hacked in January. 240000 points transferred to an Iberia account. Email and home address changed. I found this out when I rang Ba as my account was locked. Nothing I gave them for verification was accepted. Very poor response from them and after the call they sent a text message saying an email had been sent to me. I phoned back to try and get them to understand they had sent it to the hacker! It wasn’t getting through, I got quite frustrated and insisted they change my email which they did! Verbally, over the phone. Unbelievable. I was flying the next day and was very nervous that my address was known and house would be empty! I got my avios back after a few weeks but am still waiting for answers to what happened. I have asked several times by email how to enable 2fa. Still waiting. If you find out please post. I would question BAs security!

      • NFH says:
        21 Feb21 February 08:33

        Did you find out how your BA ccount was hacked? Did the hacker reuse a password that you had used on another web site?

        • Carole Crookes says:
          21 Feb21 February 18:29

          I have no idea, waiting to hear from BA but they transferred the points to an Iberia account without emailing me to check such a big transaction but then decided it was suspect and locked my account. Security at BA is the problem.

    • Marc says:
      21 Feb21 February 07:56

      I seem to have it set up, but don’t know how. My guess is that it can be done when changing your password?

  • Martin says:
    21 Feb21 February 07:34

    You would think that with competent IT in place it would be extremely hard to do this. Also it should be easy to see exactly where the stolen Avios went. Transactions should be traceable surely?

    • memesweeper says:
      21 Feb21 February 10:03

      There are ways to spend Avios that are effectively anonymous (or just not resistant to fake ID). I won’t mention any here as I wouldn’t want to help a future fraudster, but they exist.

  • Paul says:
    21 Feb21 February 07:34

    Although i agree with most comments above. I also feel that we as users of the system need to take some responsibility for our accounts.

    Strong passwords & 2fa where possible. This goes for all accounts including email and other accounts linked ie Finnair.

    • boardingcalls says:
      21 Feb21 February 07:45

      Absolutely we have to take some responsibility to change passwords regularly etc… a bit of a challenge though if you are trying to get your household members to do it also. They could implement some simple steps in my opinion 1) 2FA login 2) For any transaction ask for 2FA by text or email, i.e. cancellation of booking or transfer of Avios.

      However, related to BA refusing to rebook – Virgin do exactly the same, as I had my account comprised and in fact Virgin cancelled my bookings and refused to re-instate them! The points were returned. Luckily I managed to reobtain the availability at some point since we’d booked a hotel in St. Lucia already but they were not willing to help whatsoever! Also it took Virgin over 2 weeks to release the account back to me.

      • Marc says:
        21 Feb21 February 07:59

        It’s less about changing your passwords regularly (as this forces people to pick memorable passwords) and more about using a unique password for every account that is created and using a password manager.

        • Paul says:
          21 Feb21 February 08:53

          Yes, a password manager is the way forward. There are lots of free ones out there that are pretty good. Some of the better paid offerings cost as little as a dollar per month. worth every penny in my opinion and work across multiple platforms seamlessly.

          If you use family linking of accounts, you need to ensure that other members of the family also do the same, or do as I do and manage their accounts. I manage my sons and wifes accounts in the same way I do my own.

          Lets all take responsibility and not just complain about BA’s IT. Yes, its poor, but we also have a role to play in the security of our IT accounts.

      • tomtom135 says:
        21 Feb21 February 08:20

        Your second point I couldn’t agree more with this. Any sort of cancellation made possible manually via the website should be subject to additional security checks.

      • memesweeper says:
        21 Feb21 February 10:05

        Do NOT change your password unless you think it is compromised or you have used it in more than one place.

        Pick unique and genuinely random ones, and store them securely.

        It is basically impossible to do the latter without good password manager software (or a lot of dice and a book you never allow to leave your sight!)

  • Ant says:
    21 Feb21 February 07:40

    Exactly, how do you beef up account security?

  • Thywillbedone says:
    21 Feb21 February 07:44

    Speaking of BA’s terrible IT: does any one know how to delete / create passenger profiles on the Executive Club? I have created more than one profile for several passengers in my family group (due to new passports etc) and wanted to clean it up so that only the new profiles remain. (note: I have already updated information on ‘my friends and family’ section and ‘my travel companions’ section …I am talking about the profiles that you can select when making a booking …in my case, there are two names for each person and I am never sure if it is pulling the correct profile/passport details of the particular person). Thanks

This article is closed to new comments. Feel free to ask your question in the HfP forums.

New to Head for Points?

Welcome!  We’re the UK’s most-read source of business travel, Avios, frequent flyer and hotel loyalty news. Let us improve how you travel. Got any questions? Ask them in our forums.

Get 25,000 Avios with the Barclaycard Avios Plus Mastercard

GET A SIGN-UP BONUS OF 18,000 VIRGIN POINTS!

Latest Forum Posts

Get 80,000 bonus points (worth 80,000 Avios) and £400 of dining credit with The Platinum Card (Offer ends 27th May)

Check reward flight availability instantly for free!

See a whole year of reward seat availability on one page at SeatSpy.com

Get up to 10,000 bonus Hilton Honors points

Booking a luxury hotel?

Our luxury hotel booking service offers you GUARANTEED extra benefits over booking direct. Works with Four Seasons, Mandarin Oriental, The Ritz Carlton, St Regis and more. We've booked £1.7 million of rooms to date. Click for details.

SME? GET THE ONLY FREE SMALL BUSINESS CREDIT CARD WHICH CAN EARN AVIOS

Get points worth 30,000 Avios with 'first year free' American Express Gold (ends 27th May)

The UK's biggest frequent flyer website uses cookies, which you can block via your browser settings. Continuing implies your consent to this policy. Our privacy policy is here.

Got it!