British Airways’ data breach initially hit passengers who booked flights (revenue and Avios redemptions) during a limited period, which British Airways explained last month as follows:
From 22:58 BST 21 August 2018 until 21:45 BST 5 September 2018 inclusive, the personal and financial details of customers making or changing bookings at ba.com, and on our app were compromised. The stolen data did not include travel or passport information. The breach has been resolved and our website is working normally.
British Airways at the time said around 380,000 customers had their personal information compromised, although they have now revised that number down to 244,000 customers.
But British Airways has now released a statement admitting that an additional 185,000 passengers have been affected, specifically those who made reward bookings using a payment card (i.e. to pay the fees and taxes) between the much longer date range of April 21 and July 21, 2018.
BA estimates this 185,000 number as follows:
- 77,000 customers may have names, addresses, email addresses, card numbers, expiry dates, and most importantly card verification value (CVV) numbers stolen, potentially allowing purchases to be made.
- 108,000 may have had the above details stolen, with the exception of the CCV, which would make it more difficult to make fraudulent purchases using these details.
I was caught up in the original breach (with the limited date range), and sure enough, checking my Avios redemptions I’m also caught up in the longer, earlier date range too — I redeem a lot of Avios!
To try and ease the minds of their customers, as well as their shareholders, British Airways has said:
- They do not have “conclusive evidence” that any data has been removed from its systems, but
- Affected customers should to contact their bank or card provider “as a precaution”
- They have been “working continuously with specialist cyber forensic investigators and the National Crime Agency to investigate fully the data theft” and this is why it has taken so long to notify customers
- They have not yet received any reports of actual fraud having taken place in relation to the data breach (i.e. the stolen details being used to make fraudulent transactions)
- They will still reimburse any financial loss suffered by their customers
I quickly received an email from American Express UK, which I suspect is the card issuer many affected passengers would have used, given those cards can earn the Avios needed for the redemptions in the first place, saying:
I’m writing to you in regards to the reported British Airways data breach update involving customer personal and financial details being compromised.
Once again, we want to assure you that our industry-leading fraud protection technology is continually monitoring for any suspicious activity in order to safeguard you. Also, as a Cardmember, you are not liable for any fraudulent charges that may occur on your Accounts. If you have used your American Express Card to book with British Airways, we are monitoring your Account for you.
There is no action you need to take – we will contact you immediately if there’s any unusual activity with your Account. In the meantime you can continue to use your Card as normal.
If we see any unusual activity which could be fraud, we will contact you immediately. For added protection, you can also sign up for free fraud and other Account activity notifications via email, SMS text messaging, or alerts through our app.
Thank you for your continued Cardmembership.
I have actually been more impressed with American Express’ actions than British Airways’ this year.
If you made any Avios redemptions during this earlier, longer period British Airways recommends contacting your card issuer. You may wish to request a new card (with a new card number and CCV etc), though American Express UK at least has advised their customers that this is not necessary.
Did you redeem Avios during this period? What is your strategy if you are potentially affected by fraud?