Update – 12th September
I’ve added a brief summary of events for the benefit of our email subscribers:
As you may have heard, unless you’ve been without media access for much of the last week, British Airways (BA) was hacked. Approximately 380,000 transactions were affected over a 16-day period. BA admitted that customers financial and personal details had been stolen last Thursday evening (6th September). In terms of customer concerns about possible card fraud, BA has been telling people to contact their bank or credit card providers to discuss this.
Now that the dust has settled somewhat, it seems that card providers are taking a varied approach. American Express was swamped with calls from concerned customers. They sent out dedicated emails to customers telling them that there was no need to cancel their cards and that customers would not be liable for any fraudulent transactions made using their card. Others such as Tesco Bank are proactively sending out new cards to affected customers.
BA has promised to compensate customers for any financial hardship they have incurred as a result of this breach. At this point, we don’t have any concrete information on a timeline for how/when BA will process these claims or what form this compensation will take.
What we didn’t originally know and has subsequently become clear, is just which customers are likely to have been affected. As well as new bookings made during the breach, it now seems that anyone who made flights changes, seat reservations or paid for excess baggage – in short, any transaction that required payment – is likely to have been affected.
Update – 1pm Friday 7th September
BA Twitter team are offering conflicting answers as to whether customers who made bookings over the phone have also been affected. BA’s official communications suggested the breach was limited to their website and the BA app.
Shortly before 6:30pm last night, British Airways (BA) issued the following press release regarding a customer data theft:
British Airways is investigating, as a matter of urgency, the theft of customer data from its website, ba.com and the airline’s mobile app. The stolen data did not include travel or passport details.
From 22:58 BST August 21, 2018, until 21:45 BST September 5, 2018, inclusive, the personal and financial details of customers making bookings on ba.com and the airline’s app were compromised.
The breach has been resolved and our website is working normally.
British Airways is communicating with affected customers and we advise any customers who believe they may have been affected by this incident to contact their banks or credit card providers and follow their recommended advice.
We have notified the police and relevant authorities.
Alex Cruz, British Airways’ Chairman and Chief Executive said “We are deeply sorry for the disruption that this criminal activity has caused. We take the protection of our customers’ data very seriously.”
British Airways are emailing affected customers directly
This sounded pretty serious, and as further details continue to emerge, this breach looks to be every bit as ominous as it first looked.
As noted in the press release, British Airways has been communicating details of this breach to affected customers – BA CEO Alex Cruz says they are confident all customers have now been contacted.
I made an Avios booking last week and duly received the following email from them at about 1am this morning:
The BA website also contains a banner notification…
…with a link to a FAQs page:
How do I know if I have been affected?
This relates to customer bookings made or changed between 22:58 BST August 21, 2018, and 21:45 September 5, 2018, inclusive. We will be contacting affected customers directly to advise them of what has happened and are advising them to contact their banks or credit card providers and follow their recommended advice.
Will there be any compensation?
Every customer affected will be fully reimbursed and we will pay for a credit checking service. We take the protection of our customers’ data seriously, and are very sorry for the concern that this criminal activity has caused. We will continue to keep our customers updated with the very latest information. We will be contacting customers and will manage any claims on an individual basis.
What data has been lost?
The personal and financial details of customers making or changing bookings on ba.com and the airline’s mobile app were compromised. No passport or travel details were stolen.
How do I reset my ba.com password?
Click the Forgotten Pin/Password link on the top right-hand corner of the ba.com homepage.
We recommend you choose a unique password that you do not use for any other online account.
Should I call my bank or cancel my credit cards?
We recommend you contact your bank and follow their recommended advice.
What shall I do if I am due to travel today?
The incident has been resolved and all systems are working normally so customers due to travel can check-in online as normal.
Will I still be able to check in?
Yes, all customers booked on our flights will be able to check in as normal.
Will this affect any future bookings?
The incident has been resolved and ba.com is working normally so future bookings will not be affected.
Does this affect Executive Club accounts in any way? ie missing Avios/Tier Points
Executive Club accounts were not affected.
Which customer data has been compromised?
While the official communications give little information as to the exact extent of this breach, BA CEO Alex Cruz gave an interview to BBC Radio 4 on Friday morning in which he detailed what has been stolen:
- Postal addresses
- Email addresses
- Credit card numbers
- Expiry dates
He did reiterate that no passport or travel information was compromised.
Although BA has said that BA Executive Club account details were not affected, I’ve taken the precaution of changing my account password and judging by the reaction online many are doing the same.
If you’re having trouble resetting your password, try logging out and using the ‘Forgotten PIN/password’ link – that worked for me.
Needless to say, if you did make a booking during the affected period, it’s worth checking that there are no signs of any subsequent fraudulent activity on your card account.
This is very much a developing story and I’ll continue to update the article as and when we get further information.