Maximise your Avios, air miles and hotel points

British Airways admits massive data breach including theft of credit card numbers

Links on Head for Points may support the site by paying a commission.  See here for all partner links.

Friday 1pm update:  Various reports in our comments and elsewhere suggest that – despite BA statements – people who have booked via telephone and with BA Holidays are receiving emails saying their details are compromised.  There are also other people like myself who made redemption bookings who have not received any email.  It is probably best to assume that any transaction you’ve made which led to a BA credit card charge is likely to be at risk

Friday 12.30pm update:  IAG’s share price is down 3.6% so far today as investors worry about compensation payments and the impact on future bookings.  The overall market is only down 1.0%.

Friday 11.30am update:  It is worth noting that ba.com now says “The personal and financial details of customers making or changing bookings on ba.com and the airline’s mobile app were compromised.”  This means that you might be affected even if you did not purchase a ticket during this period.

The official ba.com page with more information is here.

Friday 10am update:  I get two paragraphs in the Daily Telegraph today, both website and newspaper – see here.  The Alex Cruz interview on Radio 4 this morning confirms that the following data has been stolen:

  • email address
  • postal address
  • credit card number
  • expiration data
  • CVV

Your frequent flyer and passport data has not been impacted as that is not transmitted during the payment process.

On the upside, there is no sign of the vest yet:

I just realised that I have not received the BA email, even though I made a redemption booking on 3rd September.  Whilst this was an Avios booking, I paid taxes on a credit card and the payment process is the same as for a cash booking.

Friday 9.30am update:  BA appears to be in breach of ICO guidelines in its email to affected customers.  To quote from the ICO website:

“You need to describe, in clear and plain language, the nature of the personal data breach and, at least:

  • the name and contact details of your data protection officer (if your organisation has one) or other contact point where more information can be obtained;
  • a description of the likely consequences of the personal data breach; and
  • a description of the measures taken, or proposed to be taken, to deal with the personal data breach and including, where appropriate, of the measures taken to mitigate any possible adverse effects.”

Friday 9am update:  This breach is ONLY related to transactions made online at ba.com, not avios.com or BA Holidays it seems. This implies that BA may not have been encrypting payment details when they were sent to their payment processor and someone was picking them up on the way. You are at NO risk if you have a credit card stored at ba.com but did not make a purchase during this 2-week period.

Friday 8am update: It now appears that 380,000 transactions have been compromised.  You should have received an email overnight if you are included. There are no reports so far of card fraud linked to the breach and credit card companies are NOT replacing cards automatically. If you are nervous, you can report your Amex card as ‘lost’ via the website and it will be replaced.

The following press release just turned up from British Airways five minutes ago, for your information:

BRITISH AIRWAYS: THEFT OF CUSTOMER DATA

September 06, 2018

“British Airways is investigating, as a matter of urgency, the theft of customer data from its website, ba.com and the airline’s mobile app. The stolen data did not include travel or passport details.

From 22:58 BST August 21 2018 until 21:45 BST September 5 2018 inclusive, the personal and financial details of customers making bookings on ba.com and the airline’s app were compromised.

The breach has been resolved and our website is working normally.

British Airways is communicating with affected customers and we advise any customers who believe they may have been affected by this incident to contact their banks or credit card providers and follow their recommended advice.

We have notified the police and relevant authorities.

Alex Cruz, British Airways’ Chairman and Chief Executive said “We are deeply sorry for the disruption that this criminal activity has caused. We take the protection of our customers’ data very seriously.”

British Airways will provide further updates when appropriate.”

Coming just a week after the high profile launch of the September sale – bookings for which have been caught up in this – the timing could not be worse.

I feel a bit sorry for British Airways at the moment.  They have spent the last year reversing the cut-backs of 2016 (the changes to Club Europe catering on the 12th are almost the final piece of the jigsaw) but there is no sign of public perception improving.  Good news, of course, makes for less interesting press coverage than bad news, which is why coming back from bad publicity is always hard.

Following on from the IT outage from last year, this theft is likely to raise more questions about the decision to move much of BA’s IT infrastructure to India.  Whatever money it saved will be peanuts compared to the costs of dealing with this breach.

And, given that I made a couple of redemptions last week, it looks like I’m going to need a new British Airways American Express card ….

The official BA web page discussing the leak and what you should do is here.

PS. If you are not a regular Head for Points visitor, why not sign up for our FREE weekly or daily newsletters? They are full of the latest Avios, airline, hotel and credit card points news and will help you travel better. To join our 65,000 free subscribers, click the button below or visit this page of the site to find out more. Thank you.

How to earn Avios from UK credit cards

How to earn Avios from UK credit cards (April 2025)

As a reminder, there are various ways of earning Avios points from UK credit cards.  Many cards also have generous sign-up bonuses!

In February 2022, Barclaycard launched two exciting new Barclaycard Avios Mastercard cards with a bonus of up to 25,000 Avios. You can apply here.

You qualify for the bonus on these cards even if you have a British Airways American Express card:

Barclaycard Avios Plus card

Barclaycard Avios Plus Mastercard

Get 25,000 Avios for signing up and an upgrade voucher at £10,000 Read our full review

Barclaycard Avios card

Barclaycard Avios Mastercard

Get 5,000 Avios for signing up and an upgrade voucher at £20,000 Read our full review

There are two official British Airways American Express cards with attractive sign-up bonuses:

British Airways American Express Premium Plus

30,000 Avios and the famous annual 2-4-1 voucher Read our full review

British Airways American Express

5,000 Avios for signing up and an Economy 2-4-1 voucher for spending £15,000 Read our full review

You can also get generous sign-up bonuses by applying for American Express cards which earn Membership Rewards points. These points convert at 1:1 into Avios.

SPECIAL OFFER: Until 27th May 2025, the sign-up bonus on the ‘free for a year’ American Express Preferred Rewards Gold card is increased from 20,000 Membership Rewards points to 30,000 points. Points convert 1:1 into Avios (30,000 Avios!) and many other programmes. Some people may see even higher personalised offers. Click here to apply.

SPECIAL OFFER: Until 27th May 2025, the sign-up bonus on American Express Platinum is increased from 50,000 Membership Rewards points to a huge 80,000 points. Points convert 1:1 into Avios (80,000 Avios!) and many other programmes. Some people may see even higher personalised offers. Click here to apply.

American Express Preferred Rewards Gold

Your best beginner’s card – 30,000 points, FREE for a year & four airport lounge passes Read our full review

The Platinum Card from American Express

80,000 bonus points and great travel benefits – for a large fee Read our full review

Run your own business?

We recommend Capital on Tap for limited companies. You earn 1 Avios per £1 which is impressive for a Visa card, and the standard card is FREE. Capital on Tap cards also have no FX fees.

Capital on Tap Visa

NO annual fee, NO FX fees and points worth 1 Avios per £1 Read our full review

Capital on Tap Pro Visa

10,500 points (=10,500 Avios) plus good benefits Read our full review

There is also a British Airways American Express card for small businesses:

British Airways American Express Accelerating Business

30,000 Avios sign-up bonus – plus annual bonuses of up to 30,000 Avios Read our full review

There are also generous bonuses on the two American Express Business cards, with the points converting at 1:1 into Avios. These cards are open to sole traders as well as limited companies.

American Express Business Platinum

50,000 points when you sign-up and an annual £200 Amex Travel credit Read our full review

American Express Business Gold

20,000 points sign-up bonus and FREE for a year Read our full review

Click here to read our detailed summary of all UK credit cards which earn Avios. This includes both personal and small business cards.

Category

British Airways and Avios

Comments (260)

This article is closed to new comments. Feel free to ask your question in the HfP forums.

  • Nick says:
    6 Sep6 September 22:33

    Nice piece in The Guardian Rob:

    Rob Burgess, editor of UK frequent flyer website headforpoints.com, said: “Data breaches are part and parcel of the world we now live in, and criminal activity is getting ever more sophisticated. Unfortunately, this is likely to be another PR disaster for British Airways, especially as it includes tickets bought in their September sale which is being widely promoted at the moment.”

  • Alex B says:
    6 Sep6 September 23:15

    They really ought to clarify what they know about the breach window.

    Was it only customers that made a booking in that time?
    Was it anyone who accessed the App or Web account but had payment cards stored?
    Was it anyone who logged on?
    Does it impact BA co-branded credit card holders differently to any other card schemes?
    Does it affect Iberia, Aer Lingus or Veuling bookings? What about bookings made through third parties?

    To be honest I wouldn’t trust them to know the answers. Everyone should be changing their passwords immediately.

    • Tina says:
      7 Sep7 September 00:06

      And are only customers who booked online affected? Or also those who booked via a phone call. Too little information: as is the Cruz modus operandi. Hopefully this will be the incident that makes him finally fall on his sword…. ????

  • Jovanna says:
    7 Sep7 September 00:48

    I was wondering where the third article was today, now that the summer break is over. I see that you were holding back for the ‘big one’, Rob.

  • Boreas says:
    7 Sep7 September 03:15

    There is not, one might meekly imagine, perhaps ever a best time to experience a two-week long credit data breach. Nevertheless, days into the September sale, ahead of a fêted renaissance, might well take the biscuit for worst.

    This should conjure too many awful memories, methinks, to blow over softly. I am not quite sure the typical strategy – finding someone very unfortunate to blame while avowing any executive responsibility – will stick.

    To be quite honest, that it happened is one thing, but the delay in picking this up will meet torrential flak, oh, and rightly.

    I would be very sad to see high officialdom at British Airways not take public responsibility when questions get asked. Above all, the Board have duty to act (& appear to act!) as openly as possible. Tin-ear alternatives, especially if tinged with real sluggishness, might provoke another press storm on par with last year & the IT crash.

    I feel sorry for BA staff right now, particularly if this does hurt the airline – and most of all the several hundred thousand people who’ve had their card details snatched.

    A fun ride for IAG’s stockholders tho, with seat selection…

  • Niall d'Christopher says:
    7 Sep7 September 04:51

    Rob, you’re off in ‘cloud cuckoo-land’.

    It’s ONLY “part and parcel of the world we now live in”! Really? No wonder we lost the empire with that attitude. Don’t accept it. Don’t talk of accepting it. FIGHT IT!

    Here, send this onto you mate running BA:
    “Sir,

    Firstly, let me tell you what I am somewhat astounded with regarding your admission of such a fundamental failure to protect our personal and financial information:

    1. We are living in the 21st Century. It is not the 1800. IT IS THE 21ST CENTURY.
    Why have you, as Chief Executive Officer, permitted British Airways to have in place systems that can be compromised in this way? There is NO excuse today for the obvious cavalier way you treat your customers’ financial information.
    2. Your assurance that your “website is working normally [now]” provides ZERO COMFORT. You thought it was “working normally” when the breach occurred! How many more failure ‘time bombs” are still waiting to occur in your systems? What changes have you made to assure us it won’t happen again – silence!
    3. Your technology, your technology team, your head of technology IN PARTICULAR, your fellow senior managers and yourself have demonstrated a level of incompetence in allowing your flawed systems to be breached so catastrophically that good governance demands ‘wholesale’ sackings of those ultimately responsible for BA management’s failure to ensure such a breach CANNOT occur.
    4. It went on for 16 days and no one knew? I can’t tell you just how fundamentally this is wrong in the management of any system today. There is NO excuse for such outright ignorance and incompetence. Next thing you’ll be telling us is you’re sorry that a plane crashed … ‘but there was a breach of our systems’. And please, please don’t insult us by saying flight and engineering systems are run separately from corporate systems.

    Secondly, where do you get the gall to put the onus on YOUR customers to do YOUR job to make right YOUR failing? Telling us to contact our financial institutions and seek their advise on our compromised data which you undertook to KEEP SAFE when we gave it to you. Have you notified every single financial institution whose customers’ data you compromised? Have you worked with those institution to close off opportunities for the hackers to gain any benefit from your tardiness in managing our financial information? Oh no, you expect the aggrieved parties to this shameful demonstration of the application of due diligence inherit in holding personal and financial information to do it for you – “we recommend that you contact your bank or credit card provider and follow their recommended advice”. And the really sad thing about it is, that’s ALL you’ve got and even worse is you obviously believe that’s ALL that is necessary. IT IS NOT.

    Finally, ‘heads must roll’. Starting with yours, for this appalling failure, not just of your systems but even more importantly, for allowing it to and responding so, so inappropriately.

    Presume you and your “team” will get their bonuses this year?

    Yours disgustedly,

    Niall d’Christopher

    PS I am not intending to personally attack you here; I’m sure you are a very nice chap. This is a reflection of my utter disappointment in your management at BA; such a great company being thrown down the toilet.”

    • Callum says:
      7 Sep7 September 07:42

      If you think data breaches are 100% avoidable then you’re beyond clueless.

      • Niall d'Christopher says:
        7 Sep7 September 13:02

        Go down with the ship Callum

        • Callum says:
          7 Sep7 September 22:21

          I have no connection to BA and actually rarely fly them as I generally go for the cheapest ticket (which for me is probably only a fifth of my travels or less).

          What I do have is a brain capable of rational and considered thought – something that’s depressingly rare nowadays (or perhaps more accurately, being willing to use it is rare!).

    • Rob says:
      7 Sep7 September 07:44

      I didn’t actually write that line, although my name is on it. It was put in to soften the criticism a bit. What I originally wrote was seen as too harsh!

    • Kip says:
      7 Sep7 September 08:00

      The line is a light-hearted way of expressing frustration at incompetence. It’s not meant to be taken literally.
      (…unless your response is an ironic stab at modern sensibilities…. this could get complicated….)

      • Catalan says:
        7 Sep7 September 08:26

        No irony in my response. People need to think about so called ‘light-hearted’ expressions first.

    • vlcnc says:
      7 Sep7 September 08:51

      I agree with Catalan here. Leave those knuckle-dragging thoughts to yourself.

      Also you are very naive if you thing data- breaches like this can be 100% be avoided, I am very critical of BA but I think in this case unless there’s some compelling evidence otherwise, we can assume this was just very unfortunate and part and parcel of online transactions today.

      • Rob says:
        7 Sep7 September 08:56

        Note that it is possible they were not encrypting your data when it was sent to their payment processor, which would make it 100% avoidable …..

      • vlcnc says:
        7 Sep7 September 09:29

        @Rob: That is fair enough if that is the case and BA should own up – hence my caveat. I guess my comment was overall, we have seen other companies caught up with these breaches increasingly though so does seem to quite common now.

    • vlcnc says:
      7 Sep7 September 09:33

      ????

  • CHRIS FITZGERALD says:
    7 Sep7 September 05:15

    Perhaps I am a little naive but I was impressed that the information was so quickly communicated to me this time and that when I contacted Amex via their live chat at what was 08.00 today where I am situated they already had prepared text to send me – and confirmed to my specific question that as regards Amex I had no further action to take. Passwords for Amex and BA have, of course, been changed….

    • Jeff says:
      7 Sep7 September 06:39

      Most companies announce they’ve been hacked 2 weeks – 2 months after (which is appalling), so I suppose the announcement was more of a surprise than the hack

      • Rob says:
        7 Sep7 September 07:42

        New rules now – under GDPR your fine is increased if you do not make an immediate announcement.

        • Lady London says:
          7 Sep7 September 09:32

          Good, IIRC Yahoo admitted 2 breaches quite recently that seemed to only come out 18 months to 2 years or so after the fact.

          The phone companies and another airline I deal with, one of which has a heavy presence in India, are now asking me to type in my credit card number and code on my keypad while they’re on the phone. The agent is only allowed to ask for the expiry date of the card to be handed over verbally. Seems a much safer system.

          My bet is they weren’t encrypting credit card details or the hackers had a live hack in place just before they were encrypted.

          After last year’s British Airways IT meltdown that ruined so many families’ Bank Holiday, no sympathy.

        • Alex says:
          7 Sep7 September 13:43

          Yes, anywhere between 20m EUR and 4% of revenues (which is almost half a billion in BA’s case…).

          A lot of law firms will be watching this one very closely as it’s probably the first high-profile case since the regulation came into play.

  • Nick says:
    7 Sep7 September 05:47

    Can confirm that bookings made on phone through Exec Club call centre are also impacted! Have just woken up to a nice email explaining that website is now working fine – but they have lost my personal data – nothing to worry about then Alex….

    • IT says:
      8 Sep8 September 11:28

      Not necessarily. They have probably sent an email to every person who made a booking during the impacted period, rather than wasting time pruning the distribution list to the those ACTUALLY impacted. Happens all the time.

  • Bagoly says:
    7 Sep7 September 06:02

    On the payment page, BA have long had a comment saying something like “Shall we store your credit card details? Click here for why it is safer to do so than to send them each time.”
    That seems to have now disappeared, or maybe I am looking in the wrong place.

    I always thought that was bold, not least because some hackers will have seen that as a dare, although I could see a valid thought process.

    My first thought was that this breach makes the statement look particularly reckless.
    But given the assertion that the breach only applied to people who booked during a given time period, maybe it is particularly true in the case – the breach seems to have been during booking, not from the vault of stored cards.
    In which case it will be very interesting to hear whether it applied to all cards used for bookings during this period, or only to new (to BA website) credit cards.

This article is closed to new comments. Feel free to ask your question in the HfP forums.

New to Head for Points?

Welcome!  We’re the UK’s most-read source of business travel, Avios, frequent flyer and hotel loyalty news. Let us improve how you travel. Got any questions? Ask them in our forums.

Get 25,000 Avios with the Barclaycard Avios Plus Mastercard

GET A SIGN-UP BONUS OF 18,000 VIRGIN POINTS!

Latest Forum Posts

Get 80,000 bonus points (worth 80,000 Avios) and £400 of dining credit with The Platinum Card (Offer ends 27th May)

Check reward flight availability instantly for free!

See a whole year of reward seat availability on one page at SeatSpy.com

Get up to 10,000 bonus Hilton Honors points

Booking a luxury hotel?

Our luxury hotel booking service offers you GUARANTEED extra benefits over booking direct. Works with Four Seasons, Mandarin Oriental, The Ritz Carlton, St Regis and more. We've booked £1.7 million of rooms to date. Click for details.

SME? GET THE ONLY FREE SMALL BUSINESS CREDIT CARD WHICH CAN EARN AVIOS

Get points worth 30,000 Avios with 'first year free' American Express Gold (ends 27th May)

The UK's biggest frequent flyer website uses cookies, which you can block via your browser settings. Continuing implies your consent to this policy. Our privacy policy is here.

Got it!