Maximise your Avios, air miles and hotel points

Avios theft – hackers cancel your redemptions to boost their haul and BA won’t reinstate

Links on Head for Points may support the site by paying a commission.  See here for all partner links.

Two weeks ago we wrote about the experience Rhys had when a hacker got into his brother’s Avios account, which was part of a family account including Rhys, and drained over 500,000 Avios from family members.

British Airways reinstated the Avios and all was good.

If you thought this meant that you could rest easily about Avios security, because BA will see you right, I’ve got some bad news.

It appears that the people who hack into Avios accounts are smarter than you think.

I have heard multiple reports of hackers checking the account to see if any unflown Avios reward bookings are in place.

If the hackers find reward flights, they cancel them.

Why? It’s simple. British Airways returns the Avios to your account immediately. The hacker now has a larger pot of Avios to steal.

Now, as Rhys found out, British Airways will return the stolen Avios to your hacked account. It doesn’t have to and you should be grateful that it offers this as a goodwill gesture.

However, it appears that British Airways will NOT reinstate Avios bookings which have been cancelled.

You will, for clarity, get the Avios from those bookings returned to you. Unfortunately this isn’t much help if you had made a redemption many months ago and have little chance of finding replacement seats.

To quote one of the comments to our original article:

One of the most worrying things I saw on a Facebook group was how a few accounts have been hacked and their existing reward flights cancelled to obtain more points to withdraw fraudulently.

BA refused to reinstate the flights once the Avios were returned, as presumably the reward availability was no longer there. This devastated one couples holiday which from memory was roughly 10 days away from when the account was hacked.

In response to this another HfP reader wrote:

Yes, my colleague had this. Luckily their flights were reinstated as there was availability, but he was told otherwise it would be a no.

So …. don’t let the knowledge that British Airways will reimburse your stolen Avios stop you from beefing up your account security.

Whilst your Avios will be returned, you are still at risk of losing any redemption flights on your account.

PS. It’s worth noting that, for household account members, a flight can only be cancelled by the original booker. No-one else in a household account, or any other passenger on the ticket, can initiate a cancellation. This gives you a little more protection.

If you are the only person who ever books from your household account, your existing bookings are not at risk if another member is hacked. This was good news for Rhys, since he was two weeks away from heading off to New Zealand with three family members when his brother had his account compromised.

PS. If you are not a regular Head for Points visitor, why not sign up for our FREE weekly or daily newsletters? They are full of the latest Avios, airline, hotel and credit card points news and will help you travel better. To join our 65,000 free subscribers, click the button below or visit this page of the site to find out more. Thank you.

How to earn Avios from UK credit cards

How to earn Avios from UK credit cards (April 2025)

As a reminder, there are various ways of earning Avios points from UK credit cards.  Many cards also have generous sign-up bonuses!

In February 2022, Barclaycard launched two exciting new Barclaycard Avios Mastercard cards with a bonus of up to 25,000 Avios. You can apply here.

You qualify for the bonus on these cards even if you have a British Airways American Express card:

Barclaycard Avios Plus card

Barclaycard Avios Plus Mastercard

Get 25,000 Avios for signing up and an upgrade voucher at £10,000 Read our full review

Barclaycard Avios card

Barclaycard Avios Mastercard

Get 5,000 Avios for signing up and an upgrade voucher at £20,000 Read our full review

There are two official British Airways American Express cards with attractive sign-up bonuses:

British Airways American Express Premium Plus

30,000 Avios and the famous annual 2-4-1 voucher Read our full review

British Airways American Express

5,000 Avios for signing up and an Economy 2-4-1 voucher for spending £15,000 Read our full review

You can also get generous sign-up bonuses by applying for American Express cards which earn Membership Rewards points. These points convert at 1:1 into Avios.

SPECIAL OFFER: Until 27th May 2025, the sign-up bonus on the ‘free for a year’ American Express Preferred Rewards Gold card is increased from 20,000 Membership Rewards points to 30,000 points. Points convert 1:1 into Avios (30,000 Avios!) and many other programmes. Some people may see even higher personalised offers. Click here to apply.

SPECIAL OFFER: Until 27th May 2025, the sign-up bonus on American Express Platinum is increased from 50,000 Membership Rewards points to a huge 80,000 points. Points convert 1:1 into Avios (80,000 Avios!) and many other programmes. Some people may see even higher personalised offers. Click here to apply.

American Express Preferred Rewards Gold

Your best beginner’s card – 30,000 points, FREE for a year & four airport lounge passes Read our full review

The Platinum Card from American Express

80,000 bonus points and great travel benefits – for a large fee Read our full review

Run your own business?

We recommend Capital on Tap for limited companies. You earn 1 Avios per £1 which is impressive for a Visa card, and the standard card is FREE. Capital on Tap cards also have no FX fees.

Capital on Tap Visa

NO annual fee, NO FX fees and points worth 1 Avios per £1 Read our full review

Capital on Tap Pro Visa

10,500 points (=10,500 Avios) plus good benefits Read our full review

There is also a British Airways American Express card for small businesses:

British Airways American Express Accelerating Business

30,000 Avios sign-up bonus – plus annual bonuses of up to 30,000 Avios Read our full review

There are also generous bonuses on the two American Express Business cards, with the points converting at 1:1 into Avios. These cards are open to sole traders as well as limited companies.

American Express Business Platinum

50,000 points when you sign-up and an annual £200 Amex Travel credit Read our full review

American Express Business Gold

20,000 points sign-up bonus and FREE for a year Read our full review

Click here to read our detailed summary of all UK credit cards which earn Avios. This includes both personal and small business cards.

Category

British Airways and Avios

Comments (185)

This article is closed to new comments. Feel free to ask your question in the HfP forums.

  • Jonathan says:
    21 Feb21 February 07:50

    When my account was hacked several weeks ago, I was sure that my passport details were in there but now they are not. Doesn’t this suggest that hackers were able to access this info… or did BA wipe this info when they reinstated the points. I also asked BA how to set up 2 factor security …. No response! Any thoughts about these matter from you??

    • Skywalker says:
      21 Feb21 February 20:58

      If your account was hacked and you had the passport number saved, if your hacker was interested in your passport number then they would have had access to it.

      If you are not flying imminently, always delete your passport details (or replace the numbers with nonsense numbers until your real passport number is required and requested).

      There is no need for your passport details to be stored with BA for any longer than is necessary.

  • Freddy says:
    21 Feb21 February 07:54

    Better security such as 2fa being standard is needed but the most foolproof way of stopping hackers is a unique password

    • meta says:
      21 Feb21 February 18:08

      BAEC are all supposedly 2FA enabled, but it doesn’t mean much as if you read Rhys’ previous article the hackers were able to bypass it. It is so weak.

  • The real Swiss Tony says:
    21 Feb21 February 07:58

    The 2FA things is a mystery. I rarely log into my kids’ accounts but tried the. other day and the system would only let me proceed with one of them if I did the 2FA process. The others all remain just under a password. With a mere 7000 Avios in my account at the moment i’m not that concerned, although the 200k I’ve committed for bookings however is another matter…

  • kevin86 says:
    21 Feb21 February 08:01

    It isn’t possible to setup 2fa in account settings.

  • tomtom135 says:
    21 Feb21 February 08:18

    I have 2FA on mine, don’t remember setting it up so can’t advise on that but it’s definitely something that can be enabled.

    • Hugh says:
      21 Feb21 February 08:34

      It might have been possible to enable it at some point in the past but I am fairly certain it is no longer possible. If it was then surely someone would have replied to the numerous requests for someone to tell us how to do it!

      • memesweeper says:
        21 Feb21 February 10:08

        Some unknown factor within BA will trigger 2FA enrolment. You can’t opt in or out AFAIK. You also can’t change the second factor, nor is it required for all log ins. Your password can be “too long” for BA’s systems too, preventing you logging in with a new secure password (yes, they’ll let your set a long one, but not use it).

        Given the value in Avios and bookings, BA’s IT for authentication and authorisation is unfit for purpose.

  • John says:
    21 Feb21 February 08:22

    Seems like BA needs a 2FA check before completing many Avios requests, including before cancelling Avios bookings. Come to think of it: Qatar and Finnair have 2FA throughout… what’s up BA?

    • Mark says:
      21 Feb21 February 08:39

      2FA with BA, we will be lucky if they know what that is. Their IT is shocking and needs a lot more than 2FA, BA needs a complete reboot. Time to switch it off and back on!

      • Mark says:
        21 Feb21 February 08:45

        As if to prove my point I have just gone to their website to get the following message – “Safari can’t open the page “https://www.britishairways.com” because the server unexpectedly dropped the connection. This sometimes occurs when the server is busy. Wait for a few minutes, and then try again.”

  • lcsneil says:
    21 Feb21 February 08:30

    So I got locked out a couple of months ago and I got an email offering me 2FA and at the time dismissed it. I have just tried to click on the link in the email this morning and it says page not found too many redirects.

    So I though let’s be super safe and change my password to a really long random one.
    All well and goo. Went in and changed it. It confirmed details updated. Clicked Save & Exit at the bottom of the page and logged out and cleared all cookies.
    Tried new password and it wouldn’t log me in. So tried old password and bingo. Logged in OK.

    So tried changing again. Exactly the same as the first time so it appears that even when you DO try to change your password it doesnt’ actually.

    Must be the new simplified password experience thought up by the “Club” team.

    Anyone else having that problem or am I special?

    • RobE says:
      21 Feb21 February 09:06

      No. I had exactly the same issue after reading the original article by Rhys. I cannot change my password.

    • Skywalker says:
      21 Feb21 February 21:00

      “So I though let’s be super safe and change my password to a really long random one.
      All well and goo. Went in and changed it. It confirmed details updated. Clicked Save & Exit at the bottom of the page and logged out and cleared all cookies.
      Tried new password and it wouldn’t log me in. So tried old password and bingo. Logged in OK.”

      Try shortening the password. It might let you save the new password then.

  • Geoff says:
    21 Feb21 February 08:33

    The whole security thing is bizarre – if you call, you need to give your name, FF No, Address and postcode and something like a saved credit card details (unless they can verify the number you are calling from).
    OR – you can go online with any booking ref and surname and you are in – from where you can change everything or cancel the trip. And those details are on any baggage tag – so don’t discard baggage tags or boarding passes mid-trip.

    • S says:
      21 Feb21 February 08:41

      I’ve often thought about how this. Another place I see this all the time is in colleagues’ (public) work calendars. They add the flight as an event and it contains the 6 letter code, their FF number, full name etc…

      • tomtom135 says:
        21 Feb21 February 09:27

        I don’t think you can cancel a booking just by using surname and the booking ref. I just tried and it says it cannot be cancelled online and to call them. It may depend on the cabin.

      • memesweeper says:
        21 Feb21 February 10:10

        I’ve seen photos in social media with people delightedly holding up tickets and boarding passes with sufficient detail showing an attacker can cancel their flight (or, to really screw them up, just the return).

This article is closed to new comments. Feel free to ask your question in the HfP forums.

New to Head for Points?

Welcome!  We’re the UK’s most-read source of business travel, Avios, frequent flyer and hotel loyalty news. Let us improve how you travel. Got any questions? Ask them in our forums.

Get 25,000 Avios with the Barclaycard Avios Plus Mastercard

GET A SIGN-UP BONUS OF 18,000 VIRGIN POINTS!

Latest Forum Posts

Get 80,000 bonus points (worth 80,000 Avios) and £400 of dining credit with The Platinum Card (Offer ends 27th May)

Check reward flight availability instantly for free!

See a whole year of reward seat availability on one page at SeatSpy.com

Get up to 10,000 bonus Hilton Honors points

Booking a luxury hotel?

Our luxury hotel booking service offers you GUARANTEED extra benefits over booking direct. Works with Four Seasons, Mandarin Oriental, The Ritz Carlton, St Regis and more. We've booked £1.7 million of rooms to date. Click for details.

SME? GET THE ONLY FREE SMALL BUSINESS CREDIT CARD WHICH CAN EARN AVIOS

Get points worth 30,000 Avios with 'first year free' American Express Gold (ends 27th May)

The UK's biggest frequent flyer website uses cookies, which you can block via your browser settings. Continuing implies your consent to this policy. Our privacy policy is here.

Got it!