I have found at least 5 vulnerabilities on BA.com, BA’s partner websites, the BA helpdesk and BA’s lounge computers over the years - when reporting these to BA I never received a word of thanks. This is the opposite experience to other orgs I have reported issues to who responded promptly and gratefully.

None of these related to payment information or even (very) sensitive PII or I would not have let the matter rest - and with one or two exceptions these are no longer viable - but they were all evidence of seriously sloppy coding, access management and security, and could have consequences if someone were to abuse them. More importantly, they are the sorts of things which by definition BA are aware of and have chosen to ignore. And I think there is no motivation for BA’s predominantly outsourced call centre staff to report these issues up the chain. So I can’t honestly say I’m surprised that a flaw has arisen relating to the compromise of payment information.

Having been affected, and having had to cancel my credit card while abroad and now out of pocket thanks to invalidated card details for some pre-existing reservations, I am seriously considering giving my business to a more competent airline. The BA May Bank Holiday Disruption was only a year ago, and also impacted me, and while extending my Gold status for multiple years was a generous gesture it is fundamentally meaningless considering how much I fly with OW in the first place!