British Airways Data Breach Worsens — Did You Redeem Avios?

Filed Under: British Airways

2018 will be remembered as a year of major airline data security theft and breaches. Already this year we have seen major breaches suffered by Air Canada, Cathay Pacific and British Airways.

British Airways’ data breach initially hit passengers who booked flights (revenue and Avios redemptions) during a limited period, which British Airways explained last month as follows:

From 22:58 BST 21 August 2018 until 21:45 BST 5 September 2018 inclusive, the personal and financial details of customers making or changing bookings at, and on our app were compromised. The stolen data did not include travel or passport information. The breach has been resolved and our website is working normally.

British Airways at the time said around 380,000 customers had their personal information compromised, although they have now revised that number down to 244,000 customers.

But British Airways has now released a statement admitting that an additional 185,000 passengers have been affected, specifically those who made reward bookings using a payment card (i.e. to pay the fees and taxes) between the much longer date range of April 21 and July 21, 2018.

BA estimates this 185,000 number as follows:

  • 77,000 customers may have names, addresses, email addresses, card numbers, expiry dates, and most importantly card verification value (CVV) numbers stolen, potentially allowing purchases to be made.
  • 108,000 may have had the above details stolen, with the exception of the CCV, which would make it more difficult to make fraudulent purchases using these details.

I was caught up in the original breach (with the limited date range), and sure enough, checking my Avios redemptions I’m also caught up in the longer, earlier date range too — I redeem a lot of Avios!

To try and ease the minds of their customers, as well as their shareholders, British Airways has said:

  • They do not have “conclusive evidence” that any data has been removed from its systems, but
  • Affected customers should to contact their bank or card provider “as a precaution”
  • They have been “working continuously with specialist cyber forensic investigators and the National Crime Agency to investigate fully the data theft” and this is why it has taken so long to notify customers
  • They have not yet received any reports of actual fraud having taken place in relation to the data breach (i.e. the stolen details being used to make fraudulent transactions)
  • They will still reimburse any financial loss suffered by their customers

I quickly received an email from American Express UK, which I suspect is the card issuer many affected passengers would have used, given those cards can earn the Avios needed for the redemptions in the first place, saying:

Dear Cardmember,

I’m writing to you in regards to the reported British Airways data breach update involving customer personal and financial details being compromised.

Once again, we want to assure you that our industry-leading fraud protection technology is continually monitoring for any suspicious activity in order to safeguard you. Also, as a Cardmember, you are not liable for any fraudulent charges that may occur on your Accounts. If you have used your American Express Card to book with British Airways, we are monitoring your Account for you.

There is no action you need to take – we will contact you immediately if there’s any unusual activity with your Account. In the meantime you can continue to use your Card as normal.

If we see any unusual activity which could be fraud, we will contact you immediately. For added protection, you can also sign up for free fraud and other Account activity notifications via email, SMS text messaging, or alerts through our app.

Thank you for your continued Cardmembership.

Bottom line

I have actually been more impressed with American Express’ actions than British Airways’ this year.

If you made any Avios redemptions during this earlier, longer period British Airways recommends contacting your card issuer. You may wish to request a new card (with a new card number and CCV etc), though American Express UK at least has advised their customers that this is not necessary.

Did you redeem Avios during this period? What is your strategy if you are potentially affected by fraud?

  1. Guys anyone can shed some light on the following.

    I follow a couple of blogs dealing with travel and most of the owners include ‘Travel Consultant ” in their occupation. Some of their blog entries also mention things like “I had to catch up with work ….etc’

    1) What does “Travel Consultant” mean?
    2) Is it about advising Airlines or private customers on travel options?


  2. I did redeem Avios during the time period affected but I always use the “virtual account number” feature on my Citi card, which would be worthless if someone tried to use it. I also don’t save my passport info… looks like my paranoia could help me!

  3. Redeemed avois for Cathay award. Received notifications from both airlines on the same day letting me know of their respective data breach incidents. Double whammy for me.

  4. So here’s what I don’t get. For all I know merchants are not supposed to store you CVV on their system. It is verified at time of transaction and that’s it.
    If British Airways has those in their system, it may suggest that either my information is incorrect (that’s what my card issuer advised) or that BA is in breach of the credit card regultions

  5. I redeemed Avios for a one way JL flight from KIX – PVG and I paid using the Citi Premier card (trying to get that 60K bonus).

    A few weeks later I got a call/email/text from Citi saying that they’d detected fraud on my account. Someone made about 4 transactions of varying amounts (about $200 – $3900) on my Citi card. Luckily Citi was proactive and amazing about it and caught it before any more damage could be done. They cancelled that account and overnighted me a new card.

    I was/am freaking out about the whole thing because who knows how deeply it could all go. I reached out to BA about it and got some generic answer about my “request” being forwarded to customer relations.

    The whole thing sucks…but props to Citi.

  6. I have never redeemed Avios, but I just discovered that someone fraudulently redeemed 45000 of my Avios in May 2018 for flights between China and Japan. I am trying to get my Avios back but BA is so busy due to the data breach that it’s hard to reach the right people.

  7. BA sent their apologies my way upon which I called my card issuer. At the end of the day they don’t see any need for immediate action and told me they would monitor my accounts.

    Even with that kind of reassurance I remain highly sceptical though, I had an incident way before the mischief at BA happened, so time will tell …

  8. Was caught in the hack by one day – the first time period that BA said. Never received an email from BA. Got a replacement card anyway. Terrible the way they have handled this data theft. It’s out of control, that is, BA lost control over their computer security.

  9. Citi called me and told me they’re shipping me a new Prestige card with new number due to 3rd party security breach, although they wouldn’t tell me whom the culprit was.

  10. Doesn’t anyone realise that this mess and the “Act of God” outage in May 2017 all go back to one person: Alex Cruz? If BA is taking short cuts like Equifax with their computer operations, I wonder when Mr Cruz will start taking short cuts with aircraft maintenance. If that happens, it will not be the computers that crash.

  11. Okay that’s how my wife’s card got compromised, it’s from British Airways. Someone in France bought two tickets to Dubai in mid September. I am still dealing with it, had to sign a bunch of paperwork claiming that wasn’t me

  12. Redeemed BA miles (never quite understood this Avios thing) for a BA flight. (I know, pretty dumb)

    Changed my Visa card the day I heard about this. So far no damage. I’d like some proactive compensation from BA though.

  13. @katie C. Same with my Citi Premiere. What’s annoying is that I think the new card number restarts my 24 month clock for TYP!

  14. Yes, I was caught up in the British Airways Breach, redeemed avios for travel and paid with my card. Chase was very understanding and immediately sent me a new card. Still super lame that the thieves got a bunch of my personal information. Time to lock down all of the credit reports.

  15. @BobNL

    1) What does “Travel Consultant” mean?
    – Same as ANY other consultant. They take your money and tell you what you already know in a way you don’t understand so they make you feel like you get something new.

    2) Is it about advising Airlines or private customers on travel options?
    – They advise ANYONE who is willing to pay them money to let them tell you what you already know in a way you don’t understand so they make you feel like you get something new.

    N.B. McKinsey always deny these allegations in a way you don’t understand so they make you feel like you should give them money to let them tell you what you already know in a way you don’t understand so they make you feel like you get something new.

  16. The Avios breach was made public weeks ago at the same time as the Cathay Pacific breach. You guys are really late with this article

Leave a Reply

If you'd like to participate in the discussion, please adhere to our commenting guidelines. Your email address will not be published. Required fields are marked *