Maximise your Avios, air miles and hotel points

Avios theft – hackers cancel your redemptions to boost their haul and BA won’t reinstate

Links on Head for Points may support the site by paying a commission.  See here for all partner links.

Two weeks ago we wrote about the experience Rhys had when a hacker got into his brother’s Avios account, which was part of a family account including Rhys, and drained over 500,000 Avios from family members.

British Airways reinstated the Avios and all was good.

If you thought this meant that you could rest easily about Avios security, because BA will see you right, I’ve got some bad news.

It appears that the people who hack into Avios accounts are smarter than you think.

I have heard multiple reports of hackers checking the account to see if any unflown Avios reward bookings are in place.

If the hackers find reward flights, they cancel them.

Why? It’s simple. British Airways returns the Avios to your account immediately. The hacker now has a larger pot of Avios to steal.

Now, as Rhys found out, British Airways will return the stolen Avios to your hacked account. It doesn’t have to and you should be grateful that it offers this as a goodwill gesture.

However, it appears that British Airways will NOT reinstate Avios bookings which have been cancelled.

You will, for clarity, get the Avios from those bookings returned to you. Unfortunately this isn’t much help if you had made a redemption many months ago and have little chance of finding replacement seats.

To quote one of the comments to our original article:

One of the most worrying things I saw on a Facebook group was how a few accounts have been hacked and their existing reward flights cancelled to obtain more points to withdraw fraudulently.

BA refused to reinstate the flights once the Avios were returned, as presumably the reward availability was no longer there. This devastated one couples holiday which from memory was roughly 10 days away from when the account was hacked.

In response to this another HfP reader wrote:

Yes, my colleague had this. Luckily their flights were reinstated as there was availability, but he was told otherwise it would be a no.

So …. don’t let the knowledge that British Airways will reimburse your stolen Avios stop you from beefing up your account security.

Whilst your Avios will be returned, you are still at risk of losing any redemption flights on your account.

PS. It’s worth noting that, for household account members, a flight can only be cancelled by the original booker. No-one else in a household account, or any other passenger on the ticket, can initiate a cancellation. This gives you a little more protection.

If you are the only person who ever books from your household account, your existing bookings are not at risk if another member is hacked. This was good news for Rhys, since he was two weeks away from heading off to New Zealand with three family members when his brother had his account compromised.

PS. If you are not a regular Head for Points visitor, why not sign up for our FREE weekly or daily newsletters? They are full of the latest Avios, airline, hotel and credit card points news and will help you travel better. To join our 65,000 free subscribers, click the button below or visit this page of the site to find out more. Thank you.

How to earn Avios from UK credit cards

How to earn Avios from UK credit cards (April 2025)

As a reminder, there are various ways of earning Avios points from UK credit cards.  Many cards also have generous sign-up bonuses!

In February 2022, Barclaycard launched two exciting new Barclaycard Avios Mastercard cards with a bonus of up to 25,000 Avios. You can apply here.

You qualify for the bonus on these cards even if you have a British Airways American Express card:

Barclaycard Avios Plus card

Barclaycard Avios Plus Mastercard

Get 25,000 Avios for signing up and an upgrade voucher at £10,000 Read our full review

Barclaycard Avios card

Barclaycard Avios Mastercard

Get 5,000 Avios for signing up and an upgrade voucher at £20,000 Read our full review

There are two official British Airways American Express cards with attractive sign-up bonuses:

British Airways American Express Premium Plus

30,000 Avios and the famous annual 2-4-1 voucher Read our full review

British Airways American Express

5,000 Avios for signing up and an Economy 2-4-1 voucher for spending £15,000 Read our full review

You can also get generous sign-up bonuses by applying for American Express cards which earn Membership Rewards points. These points convert at 1:1 into Avios.

SPECIAL OFFER: Until 27th May 2025, the sign-up bonus on the ‘free for a year’ American Express Preferred Rewards Gold card is increased from 20,000 Membership Rewards points to 30,000 points. Points convert 1:1 into Avios (30,000 Avios!) and many other programmes. Some people may see even higher personalised offers. Click here to apply.

SPECIAL OFFER: Until 27th May 2025, the sign-up bonus on American Express Platinum is increased from 50,000 Membership Rewards points to a huge 80,000 points. Points convert 1:1 into Avios (80,000 Avios!) and many other programmes. Some people may see even higher personalised offers. Click here to apply.

American Express Preferred Rewards Gold

Your best beginner’s card – 30,000 points, FREE for a year & four airport lounge passes Read our full review

The Platinum Card from American Express

80,000 bonus points and great travel benefits – for a large fee Read our full review

Run your own business?

We recommend Capital on Tap for limited companies. You earn 1 Avios per £1 which is impressive for a Visa card, and the standard card is FREE. Capital on Tap cards also have no FX fees.

Capital on Tap Visa

NO annual fee, NO FX fees and points worth 1 Avios per £1 Read our full review

Capital on Tap Pro Visa

10,500 points (=10,500 Avios) plus good benefits Read our full review

There is also a British Airways American Express card for small businesses:

British Airways American Express Accelerating Business

30,000 Avios sign-up bonus – plus annual bonuses of up to 30,000 Avios Read our full review

There are also generous bonuses on the two American Express Business cards, with the points converting at 1:1 into Avios. These cards are open to sole traders as well as limited companies.

American Express Business Platinum

50,000 points when you sign-up and an annual £200 Amex Travel credit Read our full review

American Express Business Gold

20,000 points sign-up bonus and FREE for a year Read our full review

Click here to read our detailed summary of all UK credit cards which earn Avios. This includes both personal and small business cards.

Category

British Airways and Avios

Comments (185)

This article is closed to new comments. Feel free to ask your question in the HfP forums.

  • Graham says:
    21 Feb21 February 08:34

    That really is worrying and could properly disrupt plans at fairly short notice! After the other recent article on this I double checked my security but couldn’t find a setting for 2FA. Is that just automatic? Feels like you can do a lot on your account before there’s any double check…..

  • stevenhp1987 says:
    21 Feb21 February 08:45

    This is why you should never reuse passwords.

    Always use a password manager to ensure every site has a unique password. Change your master password regularly.

    It would also be useful if BAs 2FA actually works though. I remember setting it up ages ago but its never actually been triggered.

  • Mikeact says:
    21 Feb21 February 08:53

    The only thing I have to do when I login , is tick the ‘ I am human box,’ whatever that is.

    • memesweeper says:
      21 Feb21 February 10:12

      … you are unlikely to trigger the “human” test, and the test itself is now defeatable with moderately good AI and/or humans being paid to complete them in a click farm somewhere. Complete waste of time.

  • Graham says:
    21 Feb21 February 08:55

    I had a similar experience a week ago, nothing to do with hackers just BA. I had a one way 2for1 Avios flight GLA -SYD booked for 11 Feb, I was amazed when I booked it almost a year ago that there was availability. On 10 Feb I logged in for online check in, the booking had disappeared. I called the Gold line and got a very good agent who took ownership. After a long hold it emerged that the taxes and charges amount hadn’t cleared the credit card at the time of booking, and someone in BA decided to cancel it at the last moment without reference to me.
    The 2for1 voucher and Avios had not been refunded by this person. Anyway I eventually got a call from the guilty party and the booking was reinstated on payment of the taxes. I think I was lucky that there seemed to be two seats left in business class. Not the best way to spend the night before leaving for a cruise.

  • Tim jackson says:
    21 Feb21 February 09:09

    This is what happens when companies don’t invest in their IT and security. Their customers suffer. How can anyone book a redemption flight in confidence and the accommodation around if there is a significant risk that the booking is not secure? If BAs website was a bank, the regulator would be involved by now. Avios is a de facto currency and the security to access it should be up the the levels of a bank. If I was a travel insurer, I would preemptively sue BA for negligence.

    • memesweeper says:
      21 Feb21 February 10:24

      I don’t think BA’s IT in general, and account management in particular, passes muster as fit for purpose. Unfortunately nobody gets to sue preemptively in the UK, you need to suffer an actual loss first, and the damages will just reinstate the loss, not (usually) force the negligent party to address the underlying issues.

      Big airports, NATS and so on are Critical National Infrastructure, and supposedly managed to a high standard for cyber security. Is BA in scope for this? The CAA is responsible for ensuring adequate standards of cyber security in the aviation sector, as part of the UK’s plans for cyber resilience in the face of concerted attack.

      I can’t see BA’s IT standing up to a moderate probing never mind a focussed attack by highly skilled and motivated attackers. Is the CAA aware of this? Never mind preemptive legal action, ask the CAA if they see BA as in scope as CNI, and if so, how the SNAFU of their IT is allowed to continue.

      Reference: https://www.caa.co.uk/publication/download/21294

    • NorthernLass says:
      21 Feb21 February 14:23

      Avios are not a currency, though. If you check the small print of any loyalty scheme in the UK, any points or similar rewards are allocated next to 0 monetary value.

  • Dave says:
    21 Feb21 February 09:14

    How does one setup 2FA for a household member?

    I am logged into their account and can’t for the life of me see the option in any of the menus or sub-menus…

    • memesweeper says:
      21 Feb21 February 10:25

      you can’t opt in.

      • memesweeper says:
        21 Feb21 February 10:29

        .. and be careful what you wish for, once 2FA set AFAIK you can’t change the second factor — which is kafkaesque levels of absurd.

        • Rob says:
          21 Feb21 February 12:00

          And be careful what you wish for. Finnair’s 2FA is so bad that only about 10% of text messages seem to make it. I had to make them disable it.

  • sigma421 says:
    21 Feb21 February 09:38

    I do wonder if the mobile app is a bit of a weak point? 2FA exists online (most of the time) but the mobile app has never prompted me for it, even if I’m being asked for it online at the same moment.

    • memesweeper says:
      21 Feb21 February 10:34

      it’s reasonable to use a properly enrolled device as a second factor. 2FA on setup, job done. Add an optional biometric login to the app and you have high security and high convenience.

  • Charlie Whiskey says:
    21 Feb21 February 10:16

    Rob: there are endless queries in the comments about whether/how one can set up 2FA with BA to help protect our Avios accounts, and no answers. Furthermore there is universal unease about BA’s willingness or ability to recognise any IT security issues on its website, let alone rectify them.
    As this very useful and timely thread was kicked off by Rhys reporting his own horrendous experience ( and noting that (a) it was only resolved by using his special contacts at the BA Press Desk and (b) they refused to be interviewed about Avios security) could you please use your considerable knowledge, experience, wisdom and clout to try to:
    a. Get BA to tell us if and how we can use 2FA.
    b. Find out, on the record, their official policy and attitude to reinstating stolen Avios and hacker-cancelled bookings; and also …..
    c. Their plans for increasing account security bearing in mind that, although they might claim ownership of the Avios and state they have no monetary value, de facto to us – their customers – the Avios plainly do have a cash value and we are encouraged to regard them as belonging to us to use.

    This security elephant that Rhys usefully released is not just in the room; it is now rampaging around upsetting a large cohort of BA’s supposedly valuable customers. Can you help please?
    Thanks is advance!

    • RobE says:
      21 Feb21 February 11:37

      And add to that…..how the heck do we change our password with the current web offering??

      • lcsneil says:
        21 Feb21 February 13:26

        Time to drop the gold line an email I think as I am now a very concerned “valued customer” having just read this issue online…..
        Wonder how bland they will be able to make the response……

      • RobE says:
        21 Feb21 February 19:37

        Ok – worked out what I was doing wrong. So, I used Chrome this time instead of Firefox. After changing the password, and seeing the nice green tick to say it’s all done, you have to scroll right to the bottom of the page and click on SAVE AND EXIT. Nothing is ever simple with BA.

    • JimBurgessHill says:
      21 Feb21 February 14:03

      I wholeheartedly agree Charlie. I’d love to have 2FA protection on my BAEC account. Like Rhys I had a stash of avios stolen a year & a half ago. Got them all reinstated but not a word from BA on how best to protect my account.

      Crazily until a few weeks ago I was promoted for a 2FA code on logging in, but only when using Safari browser. Given that I’d never been invited to set up 2FA I was effectively locked out of my account. That was until I realised I could get straight in using Chrome!

      The whole BA 2FA thing seems to be smoke & mirrors.

This article is closed to new comments. Feel free to ask your question in the HfP forums.

New to Head for Points?

Welcome!  We’re the UK’s most-read source of business travel, Avios, frequent flyer and hotel loyalty news. Let us improve how you travel. Got any questions? Ask them in our forums.

Get 25,000 Avios with the Barclaycard Avios Plus Mastercard

GET A SIGN-UP BONUS OF 18,000 VIRGIN POINTS!

Latest Forum Posts

Get 80,000 bonus points (worth 80,000 Avios) and £400 of dining credit with The Platinum Card (Offer ends 27th May)

Check reward flight availability instantly for free!

See a whole year of reward seat availability on one page at SeatSpy.com

Get up to 10,000 bonus Hilton Honors points

Booking a luxury hotel?

Our luxury hotel booking service offers you GUARANTEED extra benefits over booking direct. Works with Four Seasons, Mandarin Oriental, The Ritz Carlton, St Regis and more. We've booked £1.7 million of rooms to date. Click for details.

SME? GET THE ONLY FREE SMALL BUSINESS CREDIT CARD WHICH CAN EARN AVIOS

Get points worth 30,000 Avios with 'first year free' American Express Gold (ends 27th May)

The UK's biggest frequent flyer website uses cookies, which you can block via your browser settings. Continuing implies your consent to this policy. Our privacy policy is here.

Got it!