Massive British Airways data breach - what it means for you
British Airways has apologised after admitting that 100,000s of customers' payment details have been stolen over a period of 15 days in a massive data breach.
The airline revealed on Thursday 6 September that the personal and financial data of customers who made a booking – or updated a booking and made a payment – on BA.com or the BA app between 21 August 2018 and 5 September 2018 had been accessed. In total, about 380,000 cards were "compromised".
BA is now contacting all affected customers and instructing them to contact their banks or credit card providers and follow their advice. However, MoneySavingExpert.com's found card providers are taking different approaches, with some issuing all affected customers with new cards and others simply advising customers to watch for suspicious transactions.
What details have been taken?
Customers' names, addresses, email addresses and debit or credit card details were taken.
BA says the data stolen included not only card numbers but also customers' card verification codes (CVCs) – the three digit number on the back, used as a security feature when you make payments that aren't in person.
BA says passengers' passport and travel details weren't taken.
I've been affected by the breach – what should I do?
If you've been contacted by BA and told you're affected, contact your card provider and ask for its advice. See more on what card providers are telling customers below.
You can also take the following steps to minimise the risk of being hit by fraud (see our 30+ Ways to Stop Scams guide for full help):
- Check your bank or credit card transactions regularly. If you spot any unfamiliar or unusual activity, make sure you contact your bank immediately and let it know.
- If worried, demand a new card. Banks and credit card firms are taking different approaches, but if yours isn't routinely replacing cards affected by this breach, you can ask for a replacement card anyway.
- Beware of 'phishing scams'. Criminals may attempt to use the news of the data breach as an opportunity to trick people affected into revealing information. Remember that no bank or any other genuine organisation will contact you out of the blue to ask for details such as your PIN or banking password, and beware of clicking on any links in text messages or emails.
- Change your British Airways login password. And if you use that password elsewhere, make sure you change it there too. It's good practice to use different passwords – see our Password Security guide for more help.
- See if your card provider lets you get payment notifications. Some card providers, such as American Express, allow you to get notifications on your phone or tablet every time a payment is made on your card. This way you can see instantly when a payment goes out, if it's one you aren't expecting.
Customers should not be left out of pocket by any fraudulent activity on their cards as a result of this data breach – if your card is charged, your card provider or bank should refund you.
We've asked the major high street banks and card providers what guidance they're giving to customers, and this is what they've told us so far:
- Barclays, Santander, Monzo and Starling are issuing affected customers with new cards. In the meantime, you can continue to use your old card (though Barclays says you won't be able to use it online) and you should contact your bank if you spot any fraudulent activity.
- American Express says customers should continue to use their cards as normal. It says if it spots unusual activity on your account which may be fraud, it will contact you, and if it verifies fraud has taken place, it will replace the card. You should also contact Amex if you spot any fraudulent activity on your card.
- Bank of Scotland, Halifax, HSBC, Lloyds, Nationwide, NatWest, RBS, TSB and Ulster Bank have all told us that customers should continue to check their statements regularly and contact them if they see anything unusual – but they WON'T be routinely reissuing cards for all affected customers.
We've also contacted First Direct and will update this story when we hear back.
What are customers saying?
British Airways customers affected by the breach have been critical of the company – with some saying they were offered little guidance by the airline:
I booked a BA flight with a third party – am I affected?
Only customers who made a booking or change that required a payment on BA.com or the BA app between 21 August 2018 and 5 September 2018 are affected.
If you booked with a third party, BA says you won't have been affected.
What if I didn't make a payment – am I affected?
No, only customers who made or amended a booking which involved making a payment between the dates mentioned above are affected.
Has anyone lost money as a result of the breach?
BA says it can't comment on whether any customers have actually been victims of fraud or lost money as a result of the breach.
If you've been hit by fraud, contact your bank as your first port of call.
Is BA offering compensation?
The airline says no one will be left "out of pocket" due to the data breach, but in practice, if you're hit by fraud, go to your bank or credit card provider, as it will be responsible for refunding you.
BA's said it will deal with any claims for compensation arising from the breach on an "individual basis". All affected customers will also be offered a 12-month credit rating monitoring service – BA should be in touch with details of this in due course.
A legal firm called SPG Law says it plans to launch a 'group action claim' – a type of legal action where a number of people are represented by one firm – to get customers compensation from BA. At the moment it's unclear if it'll be successful, how long it'll take and what cut of any compensation awarded you would actually get.
'This simply isn't good enough'
MoneySavingExpert.com deputy editor Guy Anker said: "This is yet another massive data breach which simply isn't good enough from big businesses holding so many people's highly sensitive data.
"Yes, criminals are getting smarter which makes firms' jobs more difficult – but they need to put up every shield possible to stop this. BA's motto is 'to fly, to serve'. Well, it's clearly fallen short on the service in this case.
"Anyone who's made a booking with BA recently should keep a very close eye on their statements for suspicious transactions and change their passwords on other accounts if it's the same as on BA.com, just to be safe. Let your bank know immediately about any possible fraudulent transactions."
What does BA say?
BA said on Thursday evening: "British Airways is investigating, as a matter of urgency, the theft of customer data from its website, BA.com and the airline's mobile app. The stolen data did not include travel or passport details.
"The breach has been resolved and our website is working normally."
The airline said it was in the process of notifying affected customers and Alex Cruz, BA's chairman and chief executive, said he was "deeply sorry for the disruption that this criminal activity has caused".
Speaking to the BBC on Friday morning, Cruz added: "There was a very sophisticated, malicious criminal attack on our website. We became aware initially on that day, and we began to work on it. We discovered that something had happened, and immediately we began to work.
"We didn't know exactly [the] extent of the work, so overnight, the teams were trying to figure what was the extent of the attack."
What does the data watchdog say?
An Information Commissioner's Office spokesperson said: "British Airways has made us aware of an incident and we are making inquiries."