Maximise your Avios, air miles and hotel points

British Airways discloses massive new credit card data breach covering Avios redemption flights

Links on Head for Points may pay us an affiliate commission. A list of partners is here.

The British Airways data breach saga, which first emerged in early September, has taken another painful turn for the airline.

British Airways disclosed on Thursday afternoon that a further 185,000 payment cards had potentially been compromised.

These cards had all been used to pay for Avios redemptions between 21st April and 28th July.

Only online bookings at ba.com were impacted.  Redemptions made via the British Airways app or call centre are safe.

Note that ALL forms of Avios redemption appear to be impacted.  You are included if you used Avios to part-pay for a car rental or hotel booking, according to BA.

It is important to note that this is 185,000 ADDITIONAL payment cards which are affected.  British Airways seems to have massaged the headline figure by stripping out cards which were also caught up in the first data breach.

The full statement is here.

The latest disclosure is broken down as follows:

77,000 payment cards have had their name, billing address, email address, payment number, expiry and CVV potentially compromised

108,000 payment cards have been similarly compromised but without the CVV number

You will receive an email during Friday if you are impacted.  According to BA:

“While we do not have conclusive evidence that the data was removed from British Airways’ systems, we are taking a prudent approach in notifying potentially affected customers, advising them to contact their bank or card provider as a precaution.”

On the upside, further investigation by British Airways into the original data breach last month has found that ‘only’ 244,000 payment cards have been compromised compared with the 380,000 figure originally claimed.

And, of course, Cathay Pacific revealed on Thursday that a whopping 9.4m sets of personal records had been unlawfully accessed.  This includes credit card data.

In some ways, this breach could be worse for BA than the original.  185,000 people represents a high percentage of the active British Airways Executive Club base.  The original breach will have caught up a lot of ‘once a year’ flyers whilst this one will be impacting people like us who make up a disproportionate part of BA revenue.  Anyone who has already sat through the 2017 weekend IT failure and the recent failures of the new FLY check-in system will probably have had enough by now.

You can find the latest BA statement on this latest breach here.

PS.  Having now seen the British Airways email, the heading “Update on Theft of Customer Data” is hugely misleading in my opinion and may lead to the email being deleted unread.

How to earn Avios points from UK credit cards

How to earn Avios from UK credit cards (December 2021)

As a reminder, there are various ways of earning Avios points from UK credit cards.  Many cards also have generous sign-up bonuses!

There are two official British Airways American Express cards with attractive sign-up bonuses:

British Airways BA Amex American Express card

British Airways American Express

5,000 Avios for signing up, no annual fee and an Economy 2-4-1 voucher for spending ….. Read our full review

British Airways BA Premium Plus American Express Amex credit card

British Airways American Express Premium Plus

25,000 Avios and the UK’s most valuable credit card perk – the 2-4-1 companion voucher Read our full review

You can also get generous sign-up bonuses by applying for American Express cards which earn Membership Rewards points, such as:

Nectar American Express

American Express Preferred Rewards Gold

Your best beginner’s card – 20,000 points, FREE for a year & two airport lounge passes Read our full review

American Express Platinum card Amex

The Platinum Card from American Express

30,000 points and an unbeatable set of travel benefits – for a fee Read our full review

Run your own business?

We recommend Capital On Tap for limited companies. You earn 1 Avios per £1 which is impressive for a Visa card, along with a sign-up bonus worth 10,500 Avios:

Capital On Tap Business Rewards Visa

The most generous Avios Visa or Mastercard for a limited company Read our full review

You should also consider the British Airways Accelerating Business credit card. This is open to sole traders as well as limited companies and has a 30,000 Avios sign-up bonus:

British Airways Accelerating Business American Express card

British Airways Accelerating Business American Express

30,000 Avios sign-up bonus – plus annual bonuses of up to 30,000 Avios Read our full review

Click here to read our detailed summary of all UK credit cards which earn Avios. This includes both personal and small business cards.

(Want to earn more Avios?  Click here to visit our home page for our latest articles on earning and spending your Avios points and click here to see how to earn more Avios this month from offers and promotions.)

Category

British Airways and Avios

Comments (251)

This article is closed to new posts. Discussion continues in the HfP Forums.

  • Simon says:
    26 Oct26 October 07:40

    That would explain the massive amount of fraud I experienced in May and June, when I booked an Avios redemption almost every week. As soon as Amex issued a new card because of fraudulent charges, the new card would suffer the same fate. Very disappointed with BA.

  • John H says:
    26 Oct26 October 07:56

    I’ve been caught up in this BA debacle, I was targeted for a small €99 charge on my BA Amex whilst I was away in Cyprus. I have to say thanks to the Amex App I spotted the 4am charge to my account phoned Amex and they sorted it out there and then and had my new card within 24hrs as I arrived home. So shame on BA but well done Amex. Just waiting to be hit again in this round as I have booked more Avios flights.

  • ft_overthehorizon says:
    26 Oct26 October 08:10

    I was also caught in this second breach, but as I always use Paypal for redemptions, I’m pretty sure I’m in the clear…

    • Bonglim says:
      26 Oct26 October 18:23

      annoyingly have to use the card directly when doing a 241 redemptions.
      That is what happened to me and I got caught out.
      Amex were great though.

  • Nick G says:
    26 Oct26 October 08:11

    I agree rob very misleading title. I was equally as confused until I read it was in addition!

    What about using Amex for making bookings on the Iberia 9k giveaway? Haven’t done many redemptions otherwise

  • MsB says:
    26 Oct26 October 08:13

    Received email from BA last night, having two booked redemptions in May.
    I paid via PayPal. Am I right to assume my credit card details won’t have been compromised?

  • Andy says:
    26 Oct26 October 08:15

    Well that explains the fraud on my BA Amex card back in August. Luckily the Amex App on my iPhone notified me of a £400 ASOS transaction straight away.
    It did however make me spend a couple of hours on a lovely summers day at a friend’s 50th birthday barbecue stuck inside sorting it all out. And then missing out on Avios from being without my card for a few days and having to use a different card for some big purchases.
    Whether or not this counts as “matrerial loss” I’m guessing not given BA’s customer service. A handful of Avios as compensation would be nice.

    • Rob says:
      26 Oct26 October 08:34

      No it doesn’t – BA makes it quite clear in its email that there hasn’t been a single case of fraud resulting from the sale of your card details on the dark web, honest guv ….. which makes you wonder how stupid the people who have been handing over $10+ per set of account details actually are ….

      • shd says:
        26 Oct26 October 08:42

        How can BA *possibly* know there’s been zero fraud due to this latest leak?

        How can they possibly know there won’t be in the future?

        (Spoiler: unless Cruz has found a working crystal ball, they obviously can’t)

      • Andy says:
        26 Oct26 October 09:04

        How on earth can they know? The timing of my fraud is deeply suspicious in that it happened soon after the dates BA notified me about, and they had all my card details. Hasn’t happened before with any of my Amex cards, I only use the BA card online for flights so I can’t see how else they would have got that info?..

        • Mark says:
          26 Oct26 October 09:52

          Quite. They can’t, of course. The way this is being handled with smoke and mirrors is almost as shocking as allowing it to happen in the first place.

          Time for Cruz to hand over the reigns to someone who understands that running a successful business requires more than just deep cost cutting.

        • Shoestring says:
          26 Oct26 October 12:29

          reins, as in what you might control a horse with

        • Mark says:
          26 Oct26 October 17:23

          OMG, the HFP’s been hacked by a spurious g adder.. 🙂

        • Shoestring says:
          26 Oct26 October 17:29

          No problemo with the old vernacular lol

          But certain things drive me mad as they hint the person hasn’t actually understood the underlying logic. My brother will very happily repeat ‘to be pacific’ ad nauseam (esp when he’s into the beers) even though he’s been told many times about ‘specific’ lol

      • Andy says:
        26 Oct26 October 14:23

        “Of the 380,000 payment card details announced, 244,000 were affected. Crucially, we have had no verified cases of fraud.”

        Well I’ve notified BA today by email of the fraud on my account from the details being stolen so count that as one verified case 🙂

        • Shoestring says:
          26 Oct26 October 14:29

          But you can’t logically/ conclusively link your stolen details with BA’s data breach.

        • JJ says:
          26 Oct26 October 14:47

          I can conclusively link my card (a new card issued by virgin which the only place it had ever been used was in BA.com) had multiple fraudulent charges made on it, this could only have come from the 1st BA breach.

          I’ve also been caught up in this latest one with a different card.

  • @alastairtravel says:
    26 Oct26 October 08:18

    Be interested to understand how some CVV numbers were exposed but not others.

    The email I got from BA explicitly said my CVV wasn’t

    • Daniel says:
      26 Oct26 October 09:09

      Mine does say CVV –> “While we do not have conclusive evidence that the data was removed from British Airways’ systems, it is possible your personal data may have been compromised. This includes your full name, billing address, email address and payment card number, expiry date and CVV. As a precaution we recommend you contact your bank or card provider and follow their advice.”

      • @alastairtravel says:
        26 Oct26 October 09:18

        Mine is different:

        While we do not have conclusive evidence that the data was removed from British Airways’ systems, it is possible your personal data may have been compromised. This includes your full name, billing address, email address and payment card details. Your CVV number has remained confidential

        • Michael Jennings says:
          26 Oct26 October 11:51

          I got that, too. I did book an Avios redemption in that period, but I *think* I did it using the BA App rather than the website.

      • Lady London says:
        27 Oct27 October 02:21

        I love British Airways saying this data was ‘removed’. To me that shouted ‘weasel word’. Data doesn’t get removed in a hack. The data isn’t removed. It’ss copied. Its still there in the care of British Airways – otherwise how else could they issue your ticket – but someone has been able to copy it.

        Saying ‘removed’ instead of the apparent truth ‘we allowed someone to copy it’ just shifts the blame onto the person that ‘removed’ it not the company that failed to protect it!

        For their weaselling communication alone I really hope BA get caned by the regulator on this. Is it a criminal charge they will be facing? If so then if they are convicted then as the burden of proof is higher in criminal cases then a conviction would open the door to civil compensation claims with lower burden of proof.

    • Lady London says:
      27 Oct27 October 02:09

      That sounds as though British Airways held data was hacked by two different successful methods. Wow.

  • Steve R says:
    26 Oct26 October 08:20

    Under GDPR, Data Protection Act 1998 & 2018 you are allowed to claim compensation for distress alone

This article is closed to new posts. Discussion continues in the HfP Forums.

New to Head for Points?

Welcome!  We’re the UK’s most-read source of business travel, Avios, frequent flyer and hotel loyalty news. Let us improve how you travel. Learn more on our About page.

VAA

Latest comments

Latest Forum Posts

Get 30,000 points bonus with American Express Platinum

Amex Gold

Check reward flight availability instantly for free!

See a whole year of reward seat availability on one page at SeatSpy.com

Booking a luxury hotel?

Our luxury hotel booking service offers you GUARANTEED extra benefits over booking direct. Works with Four Seasons, Mandarin Oriental, The Ritz Carlton, St Regis and more. We've booked £1.3 million of rooms to date. Click for details.

Get 20,000 bonus points and your first year free with American Express Gold

Amex Gold