Maximise your Avios, air miles and hotel points

Avios theft – hackers cancel your redemptions to boost their haul and BA won’t reinstate

Links on Head for Points may support the site by paying a commission.  See here for all partner links.

Two weeks ago we wrote about the experience Rhys had when a hacker got into his brother’s Avios account, which was part of a family account including Rhys, and drained over 500,000 Avios from family members.

British Airways reinstated the Avios and all was good.

If you thought this meant that you could rest easily about Avios security, because BA will see you right, I’ve got some bad news.

It appears that the people who hack into Avios accounts are smarter than you think.

I have heard multiple reports of hackers checking the account to see if any unflown Avios reward bookings are in place.

If the hackers find reward flights, they cancel them.

Why? It’s simple. British Airways returns the Avios to your account immediately. The hacker now has a larger pot of Avios to steal.

Now, as Rhys found out, British Airways will return the stolen Avios to your hacked account. It doesn’t have to and you should be grateful that it offers this as a goodwill gesture.

However, it appears that British Airways will NOT reinstate Avios bookings which have been cancelled.

You will, for clarity, get the Avios from those bookings returned to you. Unfortunately this isn’t much help if you had made a redemption many months ago and have little chance of finding replacement seats.

To quote one of the comments to our original article:

One of the most worrying things I saw on a Facebook group was how a few accounts have been hacked and their existing reward flights cancelled to obtain more points to withdraw fraudulently.

BA refused to reinstate the flights once the Avios were returned, as presumably the reward availability was no longer there. This devastated one couples holiday which from memory was roughly 10 days away from when the account was hacked.

In response to this another HfP reader wrote:

Yes, my colleague had this. Luckily their flights were reinstated as there was availability, but he was told otherwise it would be a no.

So …. don’t let the knowledge that British Airways will reimburse your stolen Avios stop you from beefing up your account security.

Whilst your Avios will be returned, you are still at risk of losing any redemption flights on your account.

PS. It’s worth noting that, for household account members, a flight can only be cancelled by the original booker. No-one else in a household account, or any other passenger on the ticket, can initiate a cancellation. This gives you a little more protection.

If you are the only person who ever books from your household account, your existing bookings are not at risk if another member is hacked. This was good news for Rhys, since he was two weeks away from heading off to New Zealand with three family members when his brother had his account compromised.

PS. If you are not a regular Head for Points visitor, why not sign up for our FREE weekly or daily newsletters? They are full of the latest Avios, airline, hotel and credit card points news and will help you travel better. To join our 65,000 free subscribers, click the button below or visit this page of the site to find out more. Thank you.

How to earn Avios from UK credit cards

How to earn Avios from UK credit cards (April 2025)

As a reminder, there are various ways of earning Avios points from UK credit cards.  Many cards also have generous sign-up bonuses!

In February 2022, Barclaycard launched two exciting new Barclaycard Avios Mastercard cards with a bonus of up to 25,000 Avios. You can apply here.

You qualify for the bonus on these cards even if you have a British Airways American Express card:

Barclaycard Avios Plus card

Barclaycard Avios Plus Mastercard

Get 25,000 Avios for signing up and an upgrade voucher at £10,000 Read our full review

Barclaycard Avios card

Barclaycard Avios Mastercard

Get 5,000 Avios for signing up and an upgrade voucher at £20,000 Read our full review

There are two official British Airways American Express cards with attractive sign-up bonuses:

British Airways American Express Premium Plus

30,000 Avios and the famous annual 2-4-1 voucher Read our full review

British Airways American Express

5,000 Avios for signing up and an Economy 2-4-1 voucher for spending £15,000 Read our full review

You can also get generous sign-up bonuses by applying for American Express cards which earn Membership Rewards points. These points convert at 1:1 into Avios.

SPECIAL OFFER: Until 27th May 2025, the sign-up bonus on the ‘free for a year’ American Express Preferred Rewards Gold card is increased from 20,000 Membership Rewards points to 30,000 points. Points convert 1:1 into Avios (30,000 Avios!) and many other programmes. Some people may see even higher personalised offers. Click here to apply.

SPECIAL OFFER: Until 27th May 2025, the sign-up bonus on American Express Platinum is increased from 50,000 Membership Rewards points to a huge 80,000 points. Points convert 1:1 into Avios (80,000 Avios!) and many other programmes. Some people may see even higher personalised offers. Click here to apply.

American Express Preferred Rewards Gold

Your best beginner’s card – 30,000 points, FREE for a year & four airport lounge passes Read our full review

The Platinum Card from American Express

80,000 bonus points and great travel benefits – for a large fee Read our full review

Run your own business?

We recommend Capital on Tap for limited companies. You earn 1 Avios per £1 which is impressive for a Visa card, and the standard card is FREE. Capital on Tap cards also have no FX fees.

Capital on Tap Visa

NO annual fee, NO FX fees and points worth 1 Avios per £1 Read our full review

Capital on Tap Pro Visa

10,500 points (=10,500 Avios) plus good benefits Read our full review

There is also a British Airways American Express card for small businesses:

British Airways American Express Accelerating Business

30,000 Avios sign-up bonus – plus annual bonuses of up to 30,000 Avios Read our full review

There are also generous bonuses on the two American Express Business cards, with the points converting at 1:1 into Avios. These cards are open to sole traders as well as limited companies.

American Express Business Platinum

50,000 points when you sign-up and an annual £200 Amex Travel credit Read our full review

American Express Business Gold

20,000 points sign-up bonus and FREE for a year Read our full review

Click here to read our detailed summary of all UK credit cards which earn Avios. This includes both personal and small business cards.

Category

British Airways and Avios

Comments (185)

This article is closed to new comments. Feel free to ask your question in the HfP forums.

  • Andrew says:
    21 Feb21 February 10:37

    IANAL, but a couple of deep research queries using chatgpt – looking specifically at the issue of ba not reinstating seats due to reward availability – conclude that BA has a very weak position and consumer are very likely to have a strong case. It highlights the contradictory position that ba claim avios have no value yet you can very firmly put a price on them.

    My feeling is it’s only a matter of time before someone takes a spear to this and finds enough gaps in ba’s legacy of luck lustre customer support, precedents, incidents etc where the law and patience for flouting perceived fair value finally catch up with them.

    — a VERY short extract from the summary:

    The legal position regarding British Airways’ (BA) obligation to reinstate flights booked with Avios—particularly when the passenger bears no responsibility for cancellation—requires analysis of contractual terms, consumer protection law, retained EU regulations, and precedents in airline liability. BA’s reliance on “reward availability” as a precondition for reinstating bookings faces scrutiny under statutory protections that may override restrictive contractual clauses.

    BA’s reliance on “reward availability” to deny reinstatement is legally tenuous when standard seats exist. Contractual terms limiting redress for breaches caused by BA’s negligence or security failures are unenforceable under consumer protection and data protection law. Passengers have strong grounds to demand reinstatement through arbitration or litigation, supported by retained EU regulations and CMA enforcement precedents.
    Key Citations

    • S says:
      21 Feb21 February 11:02

      I wouldn’t put any faith in the determinations of an LLM for an issue like this. What does it actually know about this? What are it’s sources?

      • memesweeper says:
        21 Feb21 February 11:18

        It’s quite simple — if I impersonate a party to a contract and purport to cancel the contract, it’s not cancelled. I don’t think BA’s legal team would dispute this, even if the customer service centre won’t act.

        • Will says:
          21 Feb21 February 14:38

          Exactly this, a contract is between the parties involved in the contract.

          The argument may then boil down to if there is negligence on your side with respect to your account security.
          I think on that note though you are entitled to rely on BA’s required standards for security, to point out that 2FA or other methods of ensuring security and verification exist and BA’s failure to implement them means that accounts can be compromised relatively easily and the burden of responsibility for this lies with BA.

          I still can’t figure out how Apple Pay can secure your credit card but we can’t have that tech to secure a BA (or other) transaction.

          • Ed says:
            21 Feb21 February 15:41

            It can – although not to the same standard as the card data; BA has passkey / webauthn support – although whilst I’ve been asked to set it up multiple times I’ve not been asked to authenticate with it.

            A unique private key, tied to your device(s) and the ability to mandate verification using biometrics is incredibly secure – and a much better customer experience vs. passwords + 2FA; and frankly should become a minimum standard for this kind of application.

            Although in a world where you have finance standards pushing companies towards SMS which is knowingly insecure; I don’t expect it’ll be universally adopted any time soon.

    • Ihar says:
      21 Feb21 February 13:17

      “Contractual terms limiting redress for breaches caused by BA’s negligence or security failures are unenforceable under consumer protection and data protection law”

      Not sure that this has been established. If an account is hacked, it is probably due to the user’s negligence or security failure. Since BA can trace/recover the Avios then it is a much simpler scenario than banks. If the reward seats weren’t made available to others then the customer might have a point.

    • JamesF says:
      21 Feb21 February 14:09

      Where does BA say in the terms and conditions that Avios have no value? I’m sure I have read it on HFP before but can’t find it in the T&C.

      Essentially I have an open dispute with my bank involving avios that I have been given for a purchase that has subsequently been refunded. I have offered to return the avios, but they are refusing to take them, saying they are unable, and have debited my account 1.1p per Avios in cash to cover the cost. I doubt it’s legal to forcibly charge me like this, but not really sure where to start on a legal challenge, but showing that Ba say they have no value seems a good place to start.

      • JDB says:
        21 Feb21 February 22:04

        Why is there a dispute with the bank about this? BA/Avios/IAGL don’t say Avios have no value and they are regularly shown to have value in different commercial situations or disputes. There might be a question over the value, but there are some objective ways to value them and the price of 1.1p doesn’t seem unreasonable to reflect the cost to a commercial purchaser.

        • JamesF says:
          22 Feb22 February 10:00

          Dispute arising because I claim I should have the opportunity to either re earn my negative points balance or return the avios, and shouldn’t be forced to purchase points (which in the T&C say can not be exchanged for cash)

          That explains why I can’t find such a clause in the T&C, was responding to the original poster saying they had no value (which is in line with what I have read previously)

    • NorthernLass says:
      21 Feb21 February 14:27

      Er – you do know that ChatGPT will make something up if it can’t find the correct answer, don’t you?

      • Will says:
        21 Feb21 February 14:38

        What do you think is erroneous with its output in this specific situation?

        • NorthernLass says:
          21 Feb21 February 17:06

          Any of it could be, that’s the point.

          • meta says:
            22 Feb22 February 00:15

            Well, it’s clear all of it is pretty vague and law is very exact. Where are the details, which acts, which precedents is this answer relying on? First of all, there are no precedents on this in the UK. MCOL rulings on the value of Avios are not precedents because they can change.

            lt’s fine for generating ideas when you’re already an expert. I just wait for the day someone loses money because they relied on the chatgpt advice.

  • ADS says:
    21 Feb21 February 10:48

    “It [BA] doesn’t have to [reinstate your Avios] and you should be grateful that it offers this as a goodwill gesture”

    if my bank account gets hacked, banks are legally required to reinstate my account

    airline frequent flyer accounts should also be legally required to reinstate frequent flyer points – we shouldn’t have to rely on the “generosity” of the airline

    • memesweeper says:
      21 Feb21 February 11:20

      Provided they continue to offer this act of goodwill, I’d not be challenging their argument that the Avios belong to them. All sort of tax or other obligations/liabilities might arise if Avios start being treated like money in the bank.

      • ADS says:
        21 Feb21 February 15:21

        yeah, i appreciate the potential tax issues … but if BA won’t reinstate hacker cancelled reward flights … then the pressure will grow for BA to be forced to treat customers properly

  • SammyJ says:
    21 Feb21 February 11:18

    I spent hours trying to change my password after the last article and kept just getting error messages!

  • DF says:
    21 Feb21 February 13:06

    We had our Avios stolen too. It is always people with 100s of thousands of Avios. How do they know? It must be an inside job. Also BA is negligent in its security as its 2FA just does not work. Their IT developers must be the worst in the world.

    • meta says:
      22 Feb22 February 00:20

      I think you may be right, it’s probably inside / outside type of dealing where someone on the inside just passes on the details to someone on the outside to execute. But you never know because BA refuses to engage with details after the act which might be a breach of privacy laws. Why is that?

  • riku says:
    21 Feb21 February 13:20

    Even though 2FA is configured for my BA account, I seldom get asked for the code when making a redemption or logging in. It would seem safer to transfer my points to an airline with better IT (eg Finnair Plus) and only transfer points as needed back to my BA account. I must always use my authentication app when logging into Finnair Plus.

  • Tom says:
    21 Feb21 February 14:05

    Having 500,000 Avios in an account is just asking for trouble. Let alone the devaluation risk.

    Earn and burn is the only way.

  • Misty says:
    21 Feb21 February 14:14

    Earn and burn is all very well, but if you are saving up for a large redemption of 250/300k there isn’t that much you can do about a largish balance, (save using a decent password) without a lot of messing about, transferring back and forth, maybe making your accounts even more vulnerable.

    You just have to hope you are one of the lucky ones who doesn’t get hacked, and if you do that BA don’t make a bish of sorting it out. I also think a lot of these are inside jobs, due to the fact that it mainly seems to accounts with large balances that are targeted.

    • NorthernLass says:
      21 Feb21 February 14:30

      Also, unless you’re planning to take a flight within a couple of days of booking it, you’re still vulnerable!

      Definitely plenty of inside jobs here. People deliberately apply to work at companies where they’ll have access to schemes like this.

      • kevin86 says:
        21 Feb21 February 15:00

        Doesn’t need to be an inside job if BA are leaving the back door open.

        A lot of the time the problem is that people running companies are dinosaurs and don’t want to spend any money on cyber security

  • Ross says:
    21 Feb21 February 15:35

    I had my EC account hacked early December. Account locked for over three weeks. Avios moved from Qatar as well as BA, Tier Points disappeared from my account, somehow, all attempts to log on to BA were redirected to a fake website, no response from my complaint three months on.
    I have a VPN, McAfee, Incogni & am incredibly private – nothing is safe.

    • Sam says:
      21 Feb21 February 20:41

      Got MFA/2fa turned on? A unique ba password?

    • Ironside says:
      22 Feb22 February 09:10

      “…all attempts to log on to BA were redirected to a fake website…”

      This is a red flag. It’s unlikely that an individual account hack would then redirect the user away from the website. For this to happen, either the entire website (ba.com) would have needed to have been compromised, or your computer / connection has been.

      The former has happened; the latter is equally possible. I’d start by checking that VPN: is it a free or paid-for version? If the former, my money’s on that being the attack vector.

This article is closed to new comments. Feel free to ask your question in the HfP forums.

New to Head for Points?

Welcome!  We’re the UK’s most-read source of business travel, Avios, frequent flyer and hotel loyalty news. Let us improve how you travel. Got any questions? Ask them in our forums.

Get 25,000 Avios with the Barclaycard Avios Plus Mastercard

GET A SIGN-UP BONUS OF 18,000 VIRGIN POINTS!

Latest Forum Posts

Get 80,000 bonus points (worth 80,000 Avios) and £400 of dining credit with The Platinum Card (Offer ends 27th May)

Check reward flight availability instantly for free!

See a whole year of reward seat availability on one page at SeatSpy.com

Get up to 10,000 bonus Hilton Honors points

Booking a luxury hotel?

Our luxury hotel booking service offers you GUARANTEED extra benefits over booking direct. Works with Four Seasons, Mandarin Oriental, The Ritz Carlton, St Regis and more. We've booked £1.7 million of rooms to date. Click for details.

SME? GET THE ONLY FREE SMALL BUSINESS CREDIT CARD WHICH CAN EARN AVIOS

Get points worth 30,000 Avios with 'first year free' American Express Gold (ends 27th May)

The UK's biggest frequent flyer website uses cookies, which you can block via your browser settings. Continuing implies your consent to this policy. Our privacy policy is here.

Got it!