Maximise your Avios, air miles and hotel points

British Airways discloses massive new credit card data breach covering Avios redemption flights

Links on Head for Points may pay us an affiliate commission. A list of partners is here.

The British Airways data breach saga, which first emerged in early September, has taken another painful turn for the airline.

British Airways disclosed on Thursday afternoon that a further 185,000 payment cards had potentially been compromised.

These cards had all been used to pay for Avios redemptions between 21st April and 28th July.

Only online bookings at ba.com were impacted.  Redemptions made via the British Airways app or call centre are safe.

Note that ALL forms of Avios redemption appear to be impacted.  You are included if you used Avios to part-pay for a car rental or hotel booking, according to BA.

It is important to note that this is 185,000 ADDITIONAL payment cards which are affected.  British Airways seems to have massaged the headline figure by stripping out cards which were also caught up in the first data breach.

The full statement is here.

The latest disclosure is broken down as follows:

77,000 payment cards have had their name, billing address, email address, payment number, expiry and CVV potentially compromised

108,000 payment cards have been similarly compromised but without the CVV number

You will receive an email during Friday if you are impacted.  According to BA:

“While we do not have conclusive evidence that the data was removed from British Airways’ systems, we are taking a prudent approach in notifying potentially affected customers, advising them to contact their bank or card provider as a precaution.”

On the upside, further investigation by British Airways into the original data breach last month has found that ‘only’ 244,000 payment cards have been compromised compared with the 380,000 figure originally claimed.

And, of course, Cathay Pacific revealed on Thursday that a whopping 9.4m sets of personal records had been unlawfully accessed.  This includes credit card data.

In some ways, this breach could be worse for BA than the original.  185,000 people represents a high percentage of the active British Airways Executive Club base.  The original breach will have caught up a lot of ‘once a year’ flyers whilst this one will be impacting people like us who make up a disproportionate part of BA revenue.  Anyone who has already sat through the 2017 weekend IT failure and the recent failures of the new FLY check-in system will probably have had enough by now.

You can find the latest BA statement on this latest breach here.

PS.  Having now seen the British Airways email, the heading “Update on Theft of Customer Data” is hugely misleading in my opinion and may lead to the email being deleted unread.


How to earn Avios points from UK credit cards

How to earn Avios from UK credit cards (December 2021)

As a reminder, there are various ways of earning Avios points from UK credit cards.  Many cards also have generous sign-up bonuses!

There are two official British Airways American Express cards with attractive sign-up bonuses:

British Airways BA Amex American Express card

British Airways American Express

5,000 Avios for signing up, no annual fee and an Economy 2-4-1 voucher for spending ….. Read our full review

British Airways BA Premium Plus American Express Amex credit card

British Airways American Express Premium Plus

25,000 Avios and the UK’s most valuable credit card perk – the 2-4-1 companion voucher Read our full review

You can also get generous sign-up bonuses by applying for American Express cards which earn Membership Rewards points, such as:

Nectar American Express

American Express Preferred Rewards Gold

Your best beginner’s card – 20,000 points, FREE for a year & two airport lounge passes Read our full review

American Express Platinum card Amex

The Platinum Card from American Express

30,000 points and an unbeatable set of travel benefits – for a fee Read our full review

Run your own business?

We recommend Capital On Tap for limited companies. You earn 1 Avios per £1 which is impressive for a Visa card, along with a sign-up bonus worth 10,500 Avios:

Capital On Tap Business Rewards Visa

The most generous Avios Visa or Mastercard for a limited company Read our full review

You should also consider the British Airways Accelerating Business credit card. This is open to sole traders as well as limited companies and has a 30,000 Avios sign-up bonus:

British Airways Accelerating Business American Express card

British Airways Accelerating Business American Express

30,000 Avios sign-up bonus – plus annual bonuses of up to 30,000 Avios Read our full review

Click here to read our detailed summary of all UK credit cards which earn Avios. This includes both personal and small business cards.

(Want to earn more Avios?  Click here to visit our home page for our latest articles on earning and spending your Avios points and click here to see how to earn more Avios this month from offers and promotions.)

Comments (251)

This article is closed to new posts. Discussion continues in the HfP Forums.

  • John W says:

    Just recieved the e-mail from BA which states I may have been affected.

    Amex e- mail came straight after !

  • BTC says:

    I’ve been hit this time with a couple of redemptions in the time frame.

    Fair enough apologise for the criminal activity, but the email doesn’t apologise for their negligence in online security.

    Email from Amex first to arrive, with BA offering Experian ProtectMyID arriving 2 hours later.

    • Judge says:

      Have you ever heard of anyone (willingly, before any court action evolves) admitting negligence?

      • Bonglim says:

        So in healthcare the studies and evidence is absolutely clear.

        An early apology results in less payouts overall. The total payouts for cases that have changed from no payout to payouts because of an apology is far far smaller than the total saved by people not taking things further because of an early and honest apology.

        I am not sure if you can extend it in to other business areas, but the answer is yes, I have seen lots of people apologise, including admitting errors which would equal negligence before court action.

      • BTC says:

        In RTCs, and life in general, yes.
        From a company? Rarely.

        It would have been nice to have in the email a reassurance that the website is (now) secure, but that is glaringly missing.

      • Bagoly says:

        Merlin re the roller-coaster crash – a shining example that shows up nearly all other cases.

  • drt247 says:

    I got an email this evening from Amex updating the situation 9which basically said very little). An hour later got an email from BA saying as I had booked a reward flight around May my data may have been compromised and to contact my card issuer.
    I rang Amex to cancel my card and the guy in the call centre seemed to be unaware of the BA email coming out which I found surprising given the links between a BA Amex card and BA reward flights!
    No fraudulent activity on my account.
    Rob if you want a copy of the somewhat generic BA email I am happy to forward

  • Tom says:

    I got the BA email about 2 hours after the Amex email. And frankly now that it has arrived I even find the email itself insultingly misleading – describing it as an “update”. It’s not an update at all. I wasn’t affected last time. Now I am.

    The doctor rings you at home: “Just a quick call nothing to worry about, wanted to update you on your friend Dave’s cancer.” “Err ok, what’s the update?” You have cancer.” “What?!” “We take your health seriously. We’ve put a 10% off voucher for aspirin in the post.” “Sorry?!” “You’re welcome.” *click*

    • Mark says:

      Quite so. I’m in the same boat having made two redemption bookings 4 months ago. Very unimpressed, by BA’s negligence just as much as the ‘criminal activity’, and by the length of time taken to realise and notify people.

      There really is no excuse for lax online security, especially around any systems that process payments and hold personal data. The risks are well understood these days, and any organisation that really cares about their customers takes them seriously

  • Will says:

    I’ve had the email from BA. I’m not sure what I booked in this time period but thankfully I currently don’t have the main card I was using at this time anymore as I have churned it.
    I knew this hobby was going to be useful!

  • Richard G says:

    FFS… yeah, I was definitely in this particular breach.

  • Sharaz says:

    Received BA email as update of customer data theft. Offers 12 months of Experian credit report monitoring. Received Amex email earlier.

  • Greg says:

    I woke up this morning to see a text message about fraudulent activity on my BA Amex. The card was cancelled but no mention of this issue.

    Tonight I have received the emails from Amex and BA. Timing is very suspicious.

    Not sure 1 years Experian membership will placate many people.

    • Callum says:

      People are generally unreasonable. If that doesn’t placate them then very little will.

      • Tim says:

        No Callum. People are generally reasonable. And in this instance, the reasonable thing to do is for the government to fine BA 3% of its revenue and then divide those funds between customers that had their details stolen, so that ambulance chasing lawers don’t get any. If this were to happen, there would likely be fewer occurences of data theft in the future, as companies would balance investment in IT versus a hefty fine. It is not rocket science!

        • Shoestring says:

          The consumers never get the divvy up – get real, never happened in UK.

    • Lady London says:

      Is British Airways getting commission or some other kickback from Experian for anybody who takes up the offer and subsequently auto-renews? Enquiring minds want to know….

      • Rob says:

        Unlikely, but Experian is unlikely to be charging BA for the free first year. This is a dream for them, tens of thousands of worried customers of whom 10% or so will autorenew at a fat fee.

This article is closed to new posts. Discussion continues in the HfP Forums.