The airline revealed on Thursday evening that the personal and financial data of customers who made a booking – or updated a booking and made a payment – on BA.com and the BA app between 21 August 2018 and 5 September 2018 had been accessed. In total, around 380,000 cards were “compromised”.
BA is now contacting all affected customers and instructing them to contact their banks or credit card providers and follow their advice. However MoneySavingExpert’s found card providers are taking different approaches, with some issuing all affected customers with new cards and others simply advising customers to watch for suspicious transactions.
What details have been taken?
Customers’ names, addresses, email addresses and bank card details were taken.
BA says that the data stolen included not only card numbers but also customers’ card verification codes (CVC) – the three digit number on the back – which is used as a security feature when you make payments that aren’t in person.
BA says passengers’ passport and travel details weren’t taken.
I’ve been affected by the breach – what should I do?
If you’ve been contacted by BA and told you’re affected, you should contact your card provider and ask for its recommended advice. See more on what card providers are telling customers below.
You can also take the following steps to minimise the risk of being hit by fraud (and see our 30+ Ways to Stop Scams for full help):
- Check your bank and credit card transactions regularly. If you spot any unfamiliar or unusual activity, make sure you contact your bank immediately and let it know.
- If worried, demand a new card. Banks and credit card firms are taking different approaches, but if yours isn’t routinely replacing cards affected by this breach, you can ask for a replacement card anyway.
- Beware of ‘phishing scams’. Criminals may attempt to use the news of the data breach as an opportunity to trick people affected into revealing information. Remember that no genuine bank, or any other organisation, will contact you out of the blue to ask for details such as your PIN or banking password, and beware of clicking on any links in text messages or emails.
- Change your British Airways login password. And if you use that password elsewhere, make sure you change it there too. It’s good practice to use different passwords – see our Password Security guide for more help.
Customers should not be charged for any fraudulent activity on their cards as a result of this data breach.
We’ve asked the major high street banks and card providers what guidance they’re giving to customers, and this is what they’ve told us so far:
- Barclays, Santander, Monzo and Starling are issuing affected customers with new cards. You can continue to use your old card in the meantime (though Barclays says you won’t be able to use it online). In the meantime, contact your bank if you spot any fraudulent activity.
- American Express says cardholders should continue to use their cards as normal. It says if it spots unusual activity on your account which may be fraud, it will contact you, and if it verifies fraud has taken place, it will replace the card. You should also proactively contact Amex if you spot any fraudulent activity on your card.
- Bank of Scotland, Halifax, Lloyds, NatWest, RBS, TSB and Ulster Bank have all told us customers should continue to check their transactions regularly and contact them if they see anything unusual – but they WON’T be routinely reissuing cards for all affected customers.
We’ve also contacted First Direct and HSBC and will update this story when we hear back from them.
What are customers saying?
British Airways customers who have been affected by the breach have been critical of the company – with some saying they feel they were offered little guidance by the airline: