This is the latest news on the theft of customer data from the British Airways website ba.com and its mobile app.
This is a story that has generated a significant amount of coverage. We have endeavoured to keep this page as concise as possible, and without hyperbole. It is also an evolving story and we will update this page with more information as it becomes known.
Quick Links
The Theft Of Customer Data
BA issued a statement in the early evening of Thursday 6 September 2018 that customers who booked flights over a period of 15 days between 22:58 BST on Tuesday 21 August 2018 and 21:45 BST Wednesday 5 September 2018 have had their personal and financial details compromised.
This data includes credit card numbers, expiry dates, CVV codes, home addresses and e-mail addresses.
BA has e-mailed affected customers who are advised to contact their banks and credit card companies for appropriate advice. A number of credit card companies have published guidance, which is reproduced below.
BA Guidance For Customers
BA has also published guidance for affected customers on its website ba.com
This guidance has been saved as a PDF as it is likely to be deleted from the BA site at some point.
It should be noted that this has been periodically updated throughout Friday 7 September. The main changes are:
– BA has advised that the breach affects customers who have made changes to existing bookings as well as new bookings.
– BA Executive Club accounts are not affected by the breach
– BA will fully reimburse passengers for any financial losses as a direct consequence of the security breach.
– BA will not ask customers to review/update payment card details and any unsolicited requests for this information should not be fulfilled.
Additional Advice – Sunday 9 September
BA has updated its guidance again on Sunday 9 September with the following additional advice:
– Telephone numbers provided during the booking process were not compromised.
– Customers who used PayPal to pay for a flight will not have had their PayPal accounts compromised, but there is some risk that personal information was accessed.
– Passengers who used Apple Pay to pay for a flight through the mobile app are not affected.
– Passengers who attempted to pay for a flight but the transaction was unsuccessful would have had their data compromised.
– Passengers who made changes to their bookings free of charge would not have had their data compromised.
– Bookings cancelled or refunded during the breach are not affected.
Phishing Scams
Fraudsters have used this incident to sent “phishing” e-mails to customers.
These include e-mails purporting to offer a full reimbursement and two free tickets to a destination of your choice. Full details of known phishing attempts are at ba.com
Ex-Gratia Compensation
When BA has in the past faced a customer and media firestorm it has made gestures of goodwill towards affected customers.
After the IT outage of May 2017, BA did offer two years’ free Executive Club card renewal to affected customers.
Once the dust settles (and possible legal exposures are known with certainty), BA may well offer some form of gesture of goodwill to affected customers.
What Cyber Security Measures Does BA Have In Place?
Here’s what Robert Boyle, Director Of Strategy at BA’s parent company International Airlines Group said at a Capital Markets Day in November 2017:
Now, I cannot stand up here and talk about IT without addressing the issue of cyber threats. Clearly, we are a high-profile target, as any big business is, and we take this very seriously. Over the last probably 18 months or so, we have had another hard look at this to try and ensure we were doing everything in best practice. And we have made sure we have proper cyber incident plans in place throughout the business. We have also moved the monitoring security stuff fully up to a complete fully resourced 24/7 setup. We are working with some of the best partners in the business in cyber security, and we deploy the latest technology in terms of robotics and penetration testing and intrusion detection scanning.
UK Government Response
BA is required by law to notify the Information Commissioner’s Office of the breach
It has the power to levy very substantial fines in the event of a failure to properly notify a data beach. It has issued a short statement confirming contact with BA:
“British Airways has made us aware of an incident and we are making enquiries.”
Further updates will be provided on its news page.
The UK Government’s National Cyber Security Centre, part of GCHQ, has published guidance for affected customers.
General fraud prevention guidance is also available from Action Fraud.
American Express Response
American Express, which issues a number of BA branded credit cards in the UK, has provided the following advice to customers by e-mail:
Dear Cardmember,
I’m writing to you about the reported British Airways data breach involving personal and financial details of customers being compromised through their web and mobile app.
We want to assure you we have industry-leading fraud protection technology that is continually monitoring for any suspicious activity in order to safeguard you. Also, our Cardmembers are never liable for any fraudulent charges on their Accounts. If you have used your American Express Card to book with British Airways, we are monitoring your Account for you.
There is no action you need to take – we will contact you immediately if there’s any unusual activity with your Account. In the meantime you can continue to use your Card as normal.
If we see any unusual activity which could be fraud, we will contact you immediately. For added protection, you can also sign up for free fraud and other Account activity notifications via email, SMS text messaging, or alerts through our app.
Thank you for your continued Cardmembership.
MBNA Response
MBNA has posted the following statement on its website:
We are aware of media reports regarding the BA data breach. We would like to assure our customers that we take the security of their information very seriously.
If you have received an email from British Airways and transacted between the 21st August and the 5th September and you are concerned please contact us.
If you haven’t received an email from British Airways please be assured we will continue to monitor your account for security.
