On 25 October, British Airways announced that – on top of the 380,000 credit cards – another 185,000 people are affected by the theft of customers’ data previously announced on 6 September. “The airline has been working continuously with specialist cyber forensic investigators and the National Crime Agency to investigate fully the data theft,” British Airways said in a statement, “We are updating customers today with further information as we conclude our internal investigation.“
More information (British Airways passenger information)
The investigation has shown the hackers may have stolen additional personal data and we are notifying the holders of 77,000 payment cards, not previously notified, that the name, billing address, email address, card payment information, including card number, expiry date and CVV have potentially been compromised, and a further 108,000 without CVV. The potentially impacted customers were those only making reward bookings between April 21 and July 28, 2018, and who used a payment card.
While we do not have conclusive evidence that the data was removed from British Airways’ systems, we are taking a prudent approach in notifying potentially affected customers, advising them to contact their bank or card provider as a precaution. Customers who are not contacted by British Airways by Friday 26 October at 1700 GMT do not need to take any action.
In addition, from the investigation we know that fewer of the customers we originally announced were impacted. Of the 380,000 payment card details announced, 244,000 were affected. Crucially, we have had no verified cases of fraud.
We are very sorry that this criminal activity has occurred. As we have been doing, we will reimburse any customers who have suffered financial losses as a direct result of the data theft and we will be offering credit rating monitoring, provided by specialists in the field, to any affected customer who is concerned about an impact to their credit rating.
Frequently asked questions
Which of my details were at risk?
If you are affected you will be contacted directly by British Airways, by Friday 26 October at 17.00 GMT at the latest, to specify which details may have been compromised.
When do I need to contact my bank?
UK Finance, the trade body for the UK Financial Services Industry, has issued the following advice: “customers are reminded to check their statements and if they spot any unfamiliar transactions, contact their bank or card company immediately”
Why am I just being told now? Why did it take so long?
This has been a complex investigation with specialist cyber forensic investigators, and working closely with the National Crime Agency, which is why new information has come to light.
I booked on the BA app, is that included this time?
The BA app was not affected. Only customers who made reward bookings on ba.com during this time were at risk.
What is a reward booking?
It is a booking made using our loyalty programme currency.
Will this affect me if I booked a flight on ba.com with a debit or credit card in the normal way – without using a reward booking / loyalty programme currency?
No. The potentially impacted customers were those making reward bookings between April 21 and July 28, 2018, and who used a payment card.
We will be contacting all affected customers directly.
Does it affect non-flights reward booking e.g. car rental, hotel rooms, experiences etc paid for with loyalty scheme currency on ba.com between April 21 and July 28?
The potentially impacted customers were those making reward bookings between April 21 and July 28, 2018, and who used a payment card. This could include car hire or hotel bookings for example.
We will be contacting all affected customers directly.
Was my data stored on ba.com?
There are a number of ongoing investigations, including a criminal investigation led by the National Crime Agency. It therefore would not be appropriate to comment at this time.
Were all reward bookings / loyalty scheme accounts affected?
No, the potentially impacted customers were those making reward bookings between April 21 and July 28, 2018, and who used a payment card.
If you are affected you will be contacted directly by British Airways, by Friday 26 October at 1700 GMT at the latest, to specify which details may have been compromised.
Does that mean my passport details were at risk?
No, passport details were not at risk.
I am one of the affected customers – should I cancel my card?
While we do not have conclusive evidence that the data was removed from British Airways’ systems, we recommend you talk to your bank or card provider and follow their advice.
I booked a reward booking within those dates, am I the victim of fraud? Should I be worried?
Although we have had no verified cases of fraud since our announcement on 6 September 2018, we recommend that as a precaution you contact your bank or card provider and follow their advice.
Is it safe to book with BA now? What reassurance can you give me this won’t happen again?
We identified and closed the breach in September. Ba.com is secure and working normally, and it is safe to book on ba.com.
What action are you taking? What should I do?
We are very sorry that this criminal activity has occurred. We will reimburse any customers who have suffered financial losses as a direct result of the data theft and we will be offering credit rating monitoring, provided by specialists in the field, to any affected customer who is concerned about an impact to their credit rating.
I used PayPal to pay for my transaction. Is this impacted?
If you booked through PayPal, your PayPal account will not have been compromised. There does remain the risk that some of your personal information such as your name and address may have been accessed. No passport details or travel details were compromised.
Will I be liable for any fraudulent activity?
American Express Cardmembers are not liable for any fraudulent charges on their credit cards.
