British Airways discloses massive new credit card data breach covering Avios redemption flights

Links on Head for Points may pay us an affiliate commission. A list of partners is here.

The British Airways data breach saga, which first emerged in early September, has taken another painful turn for the airline.

British Airways disclosed on Thursday afternoon that a further 185,000 payment cards had potentially been compromised.

These cards had all been used to pay for Avios redemptions between 21st April and 28th July.

Only online bookings at ba.com were impacted. Redemptions made via the British Airways app or call centre are safe.

Note that ALL forms of Avios redemption appear to be impacted. You are included if you used Avios to part-pay for a car rental or hotel booking, according to BA.

It is important to note that this is 185,000 ADDITIONAL payment cards which are affected. British Airways seems to have massaged the headline figure by stripping out cards which were also caught up in the first data breach.

The full statement is here.

The latest disclosure is broken down as follows:

77,000 payment cards have had their name, billing address, email address, payment number, expiry and CVV potentially compromised

108,000 payment cards have been similarly compromised but without the CVV number

You will receive an email during Friday if you are impacted. According to BA:

“While we do not have conclusive evidence that the data was removed from British Airways’ systems, we are taking a prudent approach in notifying potentially affected customers, advising them to contact their bank or card provider as a precaution.”

On the upside, further investigation by British Airways into the original data breach last month has found that ‘only’ 244,000 payment cards have been compromised compared with the 380,000 figure originally claimed.

And, of course, Cathay Pacific revealed on Thursday that a whopping 9.4m sets of personal records had been unlawfully accessed. This includes credit card data.

In some ways, this breach could be worse for BA than the original. 185,000 people represents a high percentage of the active British Airways Executive Club base. The original breach will have caught up a lot of ‘once a year’ flyers whilst this one will be impacting people like us who make up a disproportionate part of BA revenue. Anyone who has already sat through the 2017 weekend IT failure and the recent failures of the new FLY check-in system will probably have had enough by now.

You can find the latest BA statement on this latest breach here.

PS. Having now seen the British Airways email, the heading “Update on Theft of Customer Data” is hugely misleading in my opinion and may lead to the email being deleted unread.

How to earn Avios points from UK credit cards

How to earn Avios from UK credit cards (December 2021)

As a reminder, there are various ways of earning Avios points from UK credit cards. Many cards also have generous sign-up bonuses!

There are two official British Airways American Express cards with attractive sign-up bonuses:

British Airways BA Amex American Express card

British Airways American Express

5,000 Avios for signing up, no annual fee and an Economy 2-4-1 voucher for spending ….. Read our full review

British Airways BA Premium Plus American Express Amex credit card

British Airways American Express Premium Plus

25,000 Avios and the UK’s most valuable credit card perk – the 2-4-1 companion voucher Read our full review

You can also get generous sign-up bonuses by applying for American Express cards which earn Membership Rewards points, such as:

American Express Preferred Rewards Gold

Your best beginner’s card – 20,000 points, FREE for a year & two airport lounge passes Read our full review

The Platinum Card from American Express

30,000 points and an unbeatable set of travel benefits – for a fee Read our full review

Run your own business?

We recommend Capital On Tap for limited companies. You earn 1 Avios per £1 which is impressive for a Visa card, along with a sign-up bonus worth 10,500 Avios:

Capital On Tap Business Rewards Visa

The most generous Avios Visa or Mastercard for a limited company Read our full review

You should also consider the British Airways Accelerating Business credit card. This is open to sole traders as well as limited companies and has a 30,000 Avios sign-up bonus:

British Airways Accelerating Business American Express

30,000 Avios sign-up bonus – plus annual bonuses of up to 30,000 Avios Read our full review

Click here to read our detailed summary of all UK credit cards which earn Avios. This includes both personal and small business cards.

(Want to earn more Avios? Click here to visit our home page for our latest articles on earning and spending your Avios points and click here to see how to earn more Avios this month from offers and promotions.)

Category

British Airways and Avios

This article is closed to new posts. Discussion continues in the HfP Forums.

WhenWillBaCollapse says:

25 Oct25 October 19:14

Just checked some purchases made during the period…happened during a churn cycle so all amexs are cancelled 🙂

Guess this further supports the case for card churning!
- Shoestring says:
  
  25 Oct25 October 21:05
  
  5000 HFP cardholders affected by latest BA data breach.
  
  No cards actually lost any money as all cancelled 2 months previously 🙂
BJ says:

25 Oct25 October 19:20

Got lucky last time, almost certainly not this time.
- Lee says:
  
  25 Oct25 October 19:30
  
  +1
- MD says:
  
  25 Oct25 October 19:49
  
  Got done (and done hard) last time (might regale you with the tale of woe tomorrow morning in the inevitable furore in the comments section, as I need some advice). Also got the email from Amex this afternoon, but as far as I remember it would be the same BAPP as the last breach, so that’s er, a win I guess? ????
Neil Donoghue says:

25 Oct25 October 19:30

It all makes sense why American Expeess is currently offering 500 Avios for a £5 spend….Just BA compensating Amex for yet more headache.
- BJ says:
  
  25 Oct25 October 19:37
  
  On the plus side, I wonder if this will make IAG devaluations in the near future less likely? Hopefully they will prefer to limit bad press as much as they can.
  - MD says:
    
    25 Oct25 October 20:00
    
    One might hope so, but judging by their attitude to and handling of the last breach, they have no sense of shame so I doubt it would stop them.
- Tilly says:
  
  26 Oct26 October 08:35
  
  Has anyone successfully trigger the offer? No email to day redeemed like I usually get.
  - Rob says:
    
    26 Oct26 October 08:42
    
    No, it is still showing as ‘Saved’ on my wifes account despite transactions going through and being processed. Odd.
    - Tilly says:
      
      26 Oct26 October 20:44
      
      Ditto for both mine and my husband’s cards. Very odd.
Nick says:

25 Oct25 October 19:45

Has anyone affected by the first BA breach signed up to the SPG Law group action lawsuit? It was mentioned by Rob after a piece in The Times, but has also been widely covered since.
- Oh Matron! says:
  
  25 Oct25 October 22:22
  
  The problem with UK is law is that you have to demonstrate loss. Potential loss isn’t good enough
  - Andrew (@andrewseftel) says:
    
    26 Oct26 October 00:18
    
    That’s been quite a shaky assertion ever since Vidal-Hall v Google
James M says:

25 Oct25 October 19:48

I had made a reward booking through BA.com in June – HSBC called me a few weeks ago advising they had stopped my card and were sending a replacement.

Maybe the banks were advised several weeks ago, perhaps this was just precautionary? Either way well played HSBC.

Are there any banks / cards that offer ‘one time’ card details i.e. transaction specific, you request a number for a purchase after which it doesn’t work?
- Shoestring says:
  
  25 Oct25 October 20:00
  
  3V?
- MD says:
  
  25 Oct25 October 20:24
  
  Revolut do, but only on the Premium version (£6.99/month), not the free one. A virtual cards for online transactions etc that changes number automatically after each use.
  
  I believe the recently announced (more expensive) metal version has that benefit also.
- Pol says:
  
  25 Oct25 October 20:55
  
  I have a € bank account with bunq. Their cards don’t have a cvc on the card, the app generates a new cvc every time you pay. You have to open the app to see the code and it expires after 5 minutes, great security feature more banks should consider.
  I made several Avios bookings during the time frame, unfortunately used BA Amex for the extra points though, so may well be affected.
David says:

25 Oct25 October 19:56

Does this include “part-pay with Avios” bookings?
- Rob says:
  
  25 Oct25 October 20:16
  
  Not clear. If part-pay car hire is included then potentially so.
  - David says:
    
    25 Oct25 October 22:33
    
    Hmm, I did a few part-pays but no proper redemptions in that time period, and haven’t received an email from BA yet this time (but I have from Amex).
Alan Wan says:

25 Oct25 October 20:27

I have been effected by both BA data breaches this year. No email from Amex yet for the latest. Saying that the card I used for the Avios redemption already cancelled months ago due to my wallet being mislaid. Funnily enough the replacement card (Amex Gold) was cancelled last week due to a fraudulent transaction Amex picked up on.
Bonglim says:

25 Oct25 October 21:09

I just received an email from BA saying I was affected.

The card involved was subject to fraud last month. A couple of hundred pounds spent at deliveroo in Amsterdam. Amex obviously refunded it all immediately.
- On a diet says:
  
  25 Oct25 October 21:25
  
  At least you’re not dead
  
  https://www.bbc.co.uk/news/uk-northern-ireland-45938305
  - Shoestring says:
    
    25 Oct25 October 21:50
    
    Nice choice of pizza. But 700 days on the bounce?
    - HeathrowFlyer says:
      
      25 Oct25 October 23:31
      
      Isn’t the real crime that he paid £6k on a debit card….