Go Back  FlyerTalk Forums > Miles&Points > Airlines and Mileage Programs > British Airways | Executive Club
Reload this Page >

BA Investigating Theft of Personal and Financial Data

Old Sep 7, 2018, 8:15 am
FlyerTalk Forums Expert How-Tos and Guides
Last edit by: tbm13
Are you trying to change your BA password and having difficulty doing so? For some suggestions, go to this wikipost.
---------------------------------------------------------------------------------------------------------------------
On Thursday 6 September 2018 at about 1830 London time (UTC+1), BA announced that there had been a data breach involving customers using the BA website and the BA mobile app.

Updates from BA are being posted to this ba.com page: https://www.britishairways.com/en-gb...st-information
A further update dated 25 October 2018 can be found in this post 1377. The SPG Law class action thread can be found here.

As at 1400 London time on Tuesday 11 September 2018, the body of that page read:-
Customer data theft

We are investigating, as a matter of urgency, the theft of customer data between 22:58 BST August 21 2018 until 21:45 BST September 5 2018 from our website, ba.com, and our mobile app.

The stolen data included personal and financial details of customers making bookings and changes on ba.com and the airlines app. The data did not include travel or passport details.

The theft has been reported to the authorities and our website is now working normally.

What to do if you have been affected

If you believe you may have been affected because you made a booking or paid to change to your booking with a credit or debit card on ba.com or the mobile app between 22:58 BST August 21 2018 until 21:45 BST September 5 2018, we recommend you contact your bank or credit card provider and follow their advice.

We understand that this incident will cause concern and inconvenience. We are contacting all affected customers to say sorry, and we will continue to update them in the coming days.

Phishing

Customers should also be aware that fraudsters may be claiming to be British Airways and attempt to gather personal information by deception (known as 'phishing').

We will not be contacting any customers asking for payment card details and any such requests should be reported to the police and relevant authorities.

See below for more information on how to validate that the email you have received from us is genuine.
That is followed by a series of FAQs. These are reproduced at the end of this wikipost.

If you are experiencing difficulties in changing your BA password or want further information about doing so, some information is in this thread: https://www.flyertalk.com/forum/brit...rd-ba-com.html (which also has a wikipost).

Reports from FTers suggest that credit card companies and banks are taking differing approaches to this incident:-
  • American Express - A recorded message says they are aware of the breach, there is no need to take any further action and if you suffer any financial loss you will be fully compensated; an email says: "There is no action you need to take we will contact you immediately if there's any unusual activity with your Account. In the meantime you can continue to use your Card as normal" (see post 293, post 401, post 470 and post 491).
  • Barclaycard - They just assured me I was fully protected, and I didn't need to do anything yet (see post 253); however at 18.20 on 7/9/18 the customer service helpline automated message says that affected cards are being reissued (see post 511).
  • Barclays Bank - They have contacted people they believe to have been affected, and have blocked their cards from online use (website/app), but the cards remain valid for physical (chip & PIN) transactions in shops, ATMs etc. New cards being dispatched "within a week" (see post 918).
  • Capital One - online transactions being blocked, new cards being issued (see post 493).
  • Chase (British Airways visa) - no contact from Chase about data breach and card still working
  • HSBC Premier Mastercard - Offering customers the option to freeze the card or replace it with a new card (see post 274).
  • Lloyds - Said "wait and see", but did give the option to cancel the card and have it reissued (see post 403).
  • Lloyds Mastercard - Based on the information they have, fraudulent use of my card is unlikely, just keep an eye on online banking and report anything suspicious (see post 370).
  • Monzo - Automatically replacing all cards (see post 371).
  • Natwest- Of the opinion that as there had been no fraudulent activity on my account to just keep an eye on things, and to call immediately if any suspicious transactions appear and fraud team would refund (post 315).
  • Sainsburys Bank - seem to be replacing all cards proactively (see post 968)
  • Starling - Automatically replacing cards (see post 460).
  • Tesco Bank - Pro-actively sending a new card as per details in this post (post 484)
  • TSB - Call the Telephone Banking Team on 03459 758758 to discuss further (see post 437).
  • Vanquis - online transactions being blocked, new cards being issued (see post 493).
FAQs (as at 1400 London time on Tuesday 11 September 2018):-
Have I been affected?

How do I know if I have been affected?

Customers who made bookings or changes to their bookings on ba.com or our mobile app between 22:58 BST August 21, 2018 and 21:45 BST September 5, 2018 may have been affected.

We advise any customers who believe they may have been affected to contact their banks or credit card providers and follow their advice.

We are experiencing high call volumes into our contact centres so please continue to check this page for the latest information.

Contact us

What data has been lost?

The personal and financial details of customers making bookings on ba.com and our mobile app between 22:58 BST August 21, 2018 and 21:45 BST September 5, 2018 was compromised. No passport or travel details were stolen. Only customers who made bookings between these dates are affected.

Names, billing address, email address and all bank card details were all at risk.

Did this affect just new bookings or any payment transaction made within the impacted time period?

All payment transactions made on ba.com or our mobile app from 22:58 BST August 21 2018 to 21:45 September 5 2018 inclusive were affected. Nothing before or after these dates and times was impacted. Payments made through our call centres, travel agents or online travel sites are not affected.

Are my saved payment card details safe if they were used to make a booking in that period?

If you made a payment using a saved card on ba.com or the mobile app from 22:58 BST August 21, 2018 to 21:45 September 5, 2018 inclusive, you may have been impacted.

No Executive Club accounts were compromised in the data theft. There is no impact to Avios or details stored with the British Airways Executive Club.

Has saved credit card data been stolen, even if a booking hasnt been made in that period?

No, saved payment card data has not been compromised. However, if you made a payment using a saved card on ba.com or the mobile app from 22:58 BST August 21, 2018 to 21:45 September 5, 2018 inclusive, you may have been impacted.

How were phone numbers not affected?

Phone number information is collected in a separate part of the booking process and is not used as part of the payment transaction therefore this has not been impacted.

I used PayPal to pay for my ba.com transaction. Is this impacted?

If you booked through PayPal, your PayPal account will not have been compromised. There does remain the risk that some of your personal information such as your name and address may have been accessed. No passport details or travel details were compromised.

Is Apple Pay affected?

If you used Apple Pay via the mobile app then your data will not have been compromised.

I had a failed payment attempt during the affected time period am I affected?

If you clicked the pay button on ba.com then the transaction would have taken place even if the outcome was unsuccessful and the data would have been compromised.

We advise any concerned customers to contact their banks or credit card providers and follow their advice.

Will I be affected if I made a free change to my booking but my payment card details were saved in the reservation?

If you made a free change to your booking via ba.com and did not use your payment card as part of that transaction, then you will not have been impacted.

Are travel agent bookings affected?

Only bookings or changes to bookings made directly with ba.com or the mobile app between 22:58 BST August 21, 2018 and 21:45 BST September 5, 2018 were affected.

If a change was made to a travel agent booking on ba.com and payment made for an additional product, such as seat reservations or excess baggage, then these would be affected.

Does this affect Executive Club accounts in any way? i.e. missing Avios/ Tier Points

No accounts were compromised in the data theft. There is no impact to Avios or details stored with the British Airways Executive Club.

I received an email about the data theft, however I only cancelled a booking during this time will I be affected?

If you cancelled and refunded your booking between 22:58 BST August 21, 2018 and 21:45 September 5, 2018, you will not have been impacted.

---------------------------------------------------------------------------------------------------------

What should I do if I think I am affected?

Should I call my bank or cancel my credit cards?

We recommend that all customers who made bookings or changes to their bookings with ba.com or the mobile app, between 22:58 BST August 21, 2018 and 21:45 BST September 5, 2018, contact their banks or credit card providers and follow their advice.

I think my card was compromised when I made a booking on ba.com outside of the time period what should I do?

The data theft relates to customer bookings made or changed between 22:58 BST August 21, 2018 and 21:45 September 5, 2018 only.

We advise any concerned customers to contact their banks or credit card providers and follow their advice.

How would I know if I have been a victim of identity theft?

There are a number of signs to look out for that may indicate that you might have been a victim of identity theft:-
  • Post from your bank or utility provider doesnt arrive.
  • You apply for state benefits, but are told you are already claiming.
  • Refused financial services, credit cards or a loan, despite having a good credit rating.
  • Receiving letters in your name from solicitors or debt collectors for debts that arent yours.
If you think that you might be a victim of identity theft, then you should:
  • Request a copy of your credit file to check for any suspicious credit applications.
  • Report the theft of personal information and suspicious credit applications to the police and ask for a crime reference number.
  • If fraud has been committed, contact Action Fraud.
I have had some suspicious emails or phone calls are they legitimate?

If you are concerned about an email, we recommend that you don't click on any links, open any documents or reply to it until you have looked into it further.

Official emails relating to this theft will be sent from: [email protected]. You should hover over the sent email address to confirm this is where the email has been sent from before clicking on it.

British Airways will never proactively contact you to request your personal or confidential information. If you ever receive an email or call, claiming to be from us, requesting this information, please report it to us straight away.

We've put the details of the scams we're aware of on our ba.com website security page. There's also security essentials information to help you, along with details of how to report any new scams to us (or other emails/calls that have concerned you).

Will I be reimbursed?

We take the protection of our customers data seriously and are very sorry for the concern that this criminal activity has caused.

We will continue to keep our customers updated with the very latest information.

No customer will be out of pocket as a direct result of the criminal theft of data from ba.com and the airlines mobile app. Any customer who made a booking between 22:58 BST August 21 2018 and 21:45 BST September 5 2018 will be reimbursed for any fraudulent activity on their accounts as a direct result of the data theft and we shall advise the process for this in due course.

We will be offering a 12-month credit rating monitoring service to any affected customer who is concerned about an impact to their credit rating, provided by specialists in the field and will share details of this in the near future.

Will BA pay for costs associated with getting new cards, e.g. postage costs?

No customer will be out of pocket as a direct result of the criminal theft of data from ba.com and the airlines mobile app. We are working through the process and will update our customers as soon as we can.

How do I reset my ba.com password?

ba.com and Executive Club accounts have not been compromised and your login details are safe.

However, if youd like to change your password, first ensure you are logged out of ba.com and click the Forgotten Pin/Password link on the top right-hand corner of the homepage. We recommend you choose a unique password that you do not use for any other online account.

We are aware of some customers experiencing intermittent issues when attempting to reset their passwords. We are working on resolving this as quickly as possible.

---------------------------------------------------------------------------------------------------------

How does this affect my bookings?

What shall I do if I am due to travel today?

The incident has been resolved and all systems are working normally so customers due to travel can check-in online as normal.

Will I still be able to check in?

Yes, all customers booked on our flights will be able to check in as normal.

Will this affect any future bookings?

The incident has been resolved and ba.com is working normally so future bookings will not be affected.

Will bookings made over the period of this incident remain confirmed?

Yes, all bookings made remain valid for travel.

If I cancelled the card my booking was made with what do I need to bring to the airport?

The payment card that was used to pay for the booking should be brought to the airport if you are the owner of the card and are travelling. However, if the payment card has expired since the booking was made and you have a new card, or you don't have the original card used for payment, please print out a copy of your flight itinerary from Manage my Booking.

I have now cancelled my credit card, but I had used that card to make a future flight booking, so how will I be able to access that booking?
You do not need to enter your payment card details when retrieving an existing booking via Manage My Booking on ba.com, so access to future booking is not restricted due to the cancellation of the payment card.
As of Wednesday 12th September, affected customers are being emailed with the following additional information

We deeply apologise for any worry and inconvenience this criminal activity has caused. For your reassurance, were offering you 12 months of free credit and identity monitoring services, provided by Experian, one of the UKs leading Credit Reference agencies.

Your free ProtectMyID membership
To help you to monitor your personal information for certain signs of potential identity theft, we are offering you a free 12 month membership to Experian ProtectMyID. This service helps detect possible misuse of your personal data and provides you with identity monitoring support, focussed on the identification and resolution of identity theft.

Activating your free ProtectMyID membership
1. Ensure that you sign up for the service by 12 December 2018. Your code expires after this date.
2. Visit the ProtectMyID website to get started.
3. Click on Join ProtectMyID (top right-hand side).
4. Enter your details along with the following activation code: XXXXXXXX
This code is unique to you and only available in this email please keep this email for reference.

Once your membership is activated, youll have access to the following features:
1. Unlimited access to your Experian Credit Report.
2. Credit Alerting an email or text to let you know when certain changes happen on your Experian Credit Report, such as the addition of a new credit search.
3. Access to an Identity Theft Resolution service if you do become a victim of fraud, where youll have a dedicated case worker who will support you in resolving fraud that has occurred.
4. If you are at higher risk of fraud, Experian can add protective Cifas registration to your credit report which can help prevent credit being taken in your name. The Cifas Protective Registration service places a flag alongside your name and personal details in the National Fraud Database. Companies and organisations who are signed up as members of the database will see youre at risk and take extra steps to protect you.

If you have any questions regarding this service, then please contact Experians Customer Support Centre on 03444 818182*. They are open Monday to Friday, 8am to 8pm and Saturday, 9am to 5pm.
Note that the email from BA gives you a personal "Activation Code". However, when you get to the signup forms for ProtectMyID, you put the code into the second page of the sign up form in the "Promotional Code" field.
Print Wikipost

BA Investigating Theft of Personal and Financial Data

Old Sep 8, 2018, 6:04 am
  #601  
 
Join Date: Jul 2014
Location: Surrey, UK
Programs: BA Gold, *A Gold, IHG Platinum
Posts: 652
I used Apple Pay to book my flight to DUB during the dates mentioned. Hoping that I'll be alright, although the fact I have a few other cards stored on the BA website could mean trouble depending on how deep the hack was.
jwhite9185 is offline  
Old Sep 8, 2018, 6:25 am
  #602  
 
Join Date: Dec 2009
Location: Flatland
Programs: AA Lifetime Gold 1MM, BA Gold, UA Peon
Posts: 6,095
BA are definitely erring on the side of caution with notifying people. My nearest transaction to the dates mentioned is 20 August, a clear day before they say the hack began. This is entirely understandable; it is even worse (for PR and regulatory impact) repeatedly and incrementally to say "oh, and a few more people may be hacked" than to notify a superset in the first instance. False negatives are worse than false positives for BA.
flatlander is offline  
Old Sep 8, 2018, 7:30 am
  #603  
 
Join Date: Jun 2015
Location: Basingstoke, UK
Programs: BA Gold
Posts: 54

Anyone else get something like this?
rssfed23 is offline  
Old Sep 8, 2018, 7:51 am
  #604  
 
Join Date: Sep 2008
Location: Midwest USA
Programs: BA SIL, WN A, UA SIL, Marriott TIT (LT), Hilton DIA
Posts: 1,968
I purchased 4 tickets on BA.com on Sept 4-5. Used my Chase Visa (Southwest). I called Chase and they cancelled card and will send out replacement. No suspicious/fraudulent charges. Kind of a pain because now I have to update all the websites where I used this card.
nachosdelux is offline  
Old Sep 8, 2018, 8:13 am
  #605  
 
Join Date: May 2004
Location: 7th planet on your right
Programs: BA[G], SQ[G], TK[G], DL[PM], EY[G], AF[S], IC[Amb], HH[G]
Posts: 1,641
Originally Posted by Takiteasy


What personal information do they have that they could not have gathered by other means? The BA email says full name, billing address and email address.

There is so much information of that nature which can be found online already: have you ever bought a house, mortgaged it, applied to the local authority to add an extension to it, been on an electoral register etc?

Contrast it with the Nordics for example where all your personal data (including date of birth and income!) is publicly available online. No more identity theft than here is reported.

So while I am very concerned about ID theft in general, the BA situation has not added to my concern.

And given I am not worried about card fraud as I will be reimbursed for any such event, I can sleep soundly and not waste time calling cards companies, banks etc.

Side comment, why are people all wanting to suddenly change their BA.com password? This has not been communicated as having been accesses. Again, it is good practice to regularly change password but why specifically in that instance - BA has not even recommended to do so.
Again, sorry if we have a different points of view: btw, I think mobile number is included in the bunch of personal data stolen.
Said that, the point is who gets your data. I agree that some of my data could be retrieved in a number of ways, but please.... giving them in perfect order to arguable people with arguable goals! You cannot underestimate this.

It's like if you tell me: "Thieves can open doors quite easily with a number of tools.... So, what's the problem in leaving the key outside the door?"
Sorry if my post sounds rude, it's not my intention
cheers
orbitmic likes this.
paffendorf is offline  
Old Sep 8, 2018, 8:29 am
  #606  
 
Join Date: Aug 2006
Location: Switzerland
Posts: 1,568
Originally Posted by rssfed23

Anyone else get something like this?

Assuming you hadn't contacted them first, and given the DM your name and telephone number, that seems VERY suspicious. My limited understanding of the data hack is that data was intercepted en-route to the payment system. So, whatever was sent there could include your contact details (home address and email address already admitted as having been intercepted) and no doubt a contact mobile number too.

Based on my above assumption, I would assume the text you received was fake and that they will use it to fish for other information (which you might think innocuous at the time) in order to get a proper handle on your info for identity theft.

Of course, it could just be a stupid DM journalist. Still not worth replying to
T8191 likes this.
adrianlondon is offline  
Old Sep 8, 2018, 8:32 am
  #607  
 
Join Date: May 2006
Location: 5 miles from EMA
Programs: BD, BAEC Pleb, VS Pleb, Accor Pleb, HHonors Gold, Big White Season Pass
Posts: 5,868
Ive just followed him on Twitter, he is asking people to follow him so that he can speak to them
rssfed23 likes this.
Tiger_lily is online now  
Old Sep 8, 2018, 8:36 am
  #608  
Moderator, Iberia Airlines, Airport Lounges, and Ambassador, British Airways Executive Club
 
Join Date: Feb 2010
Programs: BA Lifetime Gold; Flying Blue Life Platinum; LH Sen.; Hilton Diamond; Kemal Kebabs Prized Customer
Posts: 63,474
Originally Posted by allturnleft
Interestingly is there any evidence yet that anybodys data has been used?
As detailed upthread, I have reason to believe that my former Amex card data, including CVV, is now for sale.
orbitmic likes this.
corporate-wage-slave is online now  
Old Sep 8, 2018, 8:36 am
  #609  
FlyerTalk Evangelist
 
Join Date: Mar 2010
Location: JER
Programs: BA Gold/OWE, several MUCCI, and assorted Pensions!
Posts: 32,124
Originally Posted by Tiger_lily
Ive just followed him on Twitter, he is asking people to follow him so that he can speak to them
Will a DM journalist add any substance to the discussion? Or does he just want to assemble a coterie of wailing victims under a sensational headline? Personally I wouldnt touch him with a bargepole.
T8191 is offline  
Old Sep 8, 2018, 8:39 am
  #610  
 
Join Date: May 2016
Location: EDI
Programs: Was BA GGL but no longer travelling
Posts: 583
I know I'm posting late to the thread. I'm in Bangalore, and first I knew was when I woke up and checked the mails on my phone the morning the story broke. Email from BA explaining it all. I had booked in the time period (I'm travelling every week). I checked the BA website and the link to details was very obvious.

Called BA Amex number and recorded message said no need to cancel card at this time.

So for my part, I think BA have handled this well. Clear information on the website with no attempt to hide it at the bottom like Ry*nair probably would.

I had use stored card details so only actually keyed my 4-digit CVV, but I don't think anyone has confirmed if stored details were vulnerable or not. I've also reset my BAEC password (eventually - forgot my password link) and also opted for Amex alerts when charges hit the card.

Once BA knew about it, they seemed to act quickly and communicate quickly. And I've personally no issues about how long it took them, as my booking was made on the first day of the time window.

Fingers are crossed.
HighwayToHEL is offline  
Old Sep 8, 2018, 8:54 am
  #611  
 
Join Date: Jun 2015
Location: Basingstoke, UK
Programs: BA Gold
Posts: 54
Originally Posted by corporate-wage-slave
As detailed upthread, I have reason to believe that my former Amex card data, including CVV, is now for sale.
Mine was used for a Netflix transaction in Canada. Monzo blocked it though as I already have one for the UK. There was another 15 transaction that I didnt authorise that did get taken and it was an online one with ccv present.
After replacing the card and notifying me (I love how I had notifications a hour after the initial tweet from BA from my bank yet no email at all from BA) they obtained my 15 back.

Weirdly though it shows as 15 paid from BA not from the merchant that the card was used at. Talking to monzo customer service it seems they have a way to charge BA for the fraudulent transactions and deposit that money in the account rather than doing a charge back or requesting it from the merchant that it was used at (based in India and unlikely to give it back easily I imagine). This is a debit card so are charge backs not an option like on a credit card(? - Im not too hot on banking tech and procedures)
Either way; Monzo sorted it all out quickly and got my money back directly from BA. BA were useless as expected and I communicated the above to the DM writer after verifying his account.
rssfed23 is offline  
Old Sep 8, 2018, 9:16 am
  #612  
 
Join Date: Jun 2013
Location: Russia
Programs: BA Silver
Posts: 125
Does anyone know if all our stored cards are affected or just the ones we used during the window?
Ivanerr is offline  
Old Sep 8, 2018, 9:19 am
  #613  
Moderator, Iberia Airlines, Airport Lounges, and Ambassador, British Airways Executive Club
 
Join Date: Feb 2010
Programs: BA Lifetime Gold; Flying Blue Life Platinum; LH Sen.; Hilton Diamond; Kemal Kebabs Prized Customer
Posts: 63,474
Originally Posted by Ivanerr
Does anyone know if all our stored cards are affected or just the ones we used during the window?
That has been clearly communicated by BA: stored cards used during the dates are at risk, stored cards not used between the two dates are not at risk. More details upthread.
adrianlondon and Ivanerr like this.
corporate-wage-slave is online now  
Old Sep 8, 2018, 9:21 am
  #614  
Moderator: British Airways Executive Club, Iberia Airlines, Airport Lounges and Environmentally Friendly Travel
 
Join Date: Jan 2003
Location: London, UK
Posts: 22,200
Originally Posted by corporate-wage-slave
That has been clearly communicated by BA: stored cards used during the dates are at risk, stored cards not used between the two dates are not at risk. More details upthread.
Yes, I used stored payment details during the affected period and received both emails from BA. I consider myself at risk.
Prospero is offline  
Old Sep 8, 2018, 9:26 am
  #615  
 
Join Date: Oct 2016
Programs: Always J
Posts: 57
Originally Posted by NWIFlyer
I think we can be fairly certain that the message coming from BA about ensuring everyone affected is compensated is only intended to cover direct financial loss when it comes to monetary payments. I would be surprised if BA paid out for anything else voluntarily, and legal action may be required.

Tiger_lily outlines one possible route which you could use - although you are going to have to quantify the non-material loss if you choose to do that.

In the circumstances Id sit it out a few days and wait, particularly if you have status with BA. After the last IT issue BA took several days to formulate a discretionary compensation package, which turned out to be a status extension for a year. They may well (indeed, are likely to) look to do something again over the next few days that might - or might not - satisfy you. Once that pans out you can start making decisions on how to move forward.
My wife and I were caught up in the BA 27 May 2017 debacle for which we received adequate financial compensation and also a shedload of additional Avios on top of what we were expecting for our return LHR-BKK flight.

But this fiasco is infinitely more serious and has left me, and hundreds of thousands of others, exposed to identity theft which is non-material damage thus far, but will obviously become material damage if my identity is used for nefarious purposes in the future. I'm actually not worried at all that my Amex cards are compromised as I trust Amex and have found their proactive communication to be reassuring.

Personally, I'm not having this and BA will need to come up with adequate redress or I will have no choice but to claim under GDPR Article 82.

This is what I intend to do to get the ball rolling - I'm going to communicate my grievance directly to BA and request compensation but I'm going to leave it to them to make me an offer to settle the matter. If not, then I intend to claim through the courts, which is my least preferred course of action, but I'll do it if I'm forced to.
Tiger_lily and Txubito like this.
HiSo is offline  

Thread Tools
Search this Thread

Contact Us - Manage Preferences - Archive - Advertising - Cookie Policy - Privacy Statement - Terms of Service -

This site is owned, operated, and maintained by MH Sub I, LLC dba Internet Brands. Copyright © 2024 MH Sub I, LLC dba Internet Brands. All rights reserved. Designated trademarks are the property of their respective owners.