Some links to products and partners on this website will earn an affiliate commission.
On 6 September, BA finally admitted that it had been subject to a massive data breach, but estimated that it impacted customers who booked between 21 August and 5 September.
Unfortunately that seems to have been optimistic, as emails were sent out last night lengthening the period of risk to 21 April and 28 July 2018. Excuse me whilst I spit out my coffee, as this would mean that hackers had been playing around inside BA’s systems UNDETECTED for 4-5 months!
Here’s the full e-mail.
On 6 September 2018, we regrettably announced that we were the target of a criminal data theft involving the personal and financial details of customers making or changing bookings at ba.com, or via the British Airways app.
Since then we’ve been conducting a thorough investigation with specialist cyber forensic investigators, liaising with the National Crime Agency. As a result of the investigation I am writing to let you know that you may have been affected by the data theft, when you made a reward booking between 21 April and 28 July 2018.
While we do not have conclusive evidence that the data was removed from British Airways’ systems, it is possible your personal data may have been compromised. This includes your full name, billing address, email address and payment card number, expiry date and CVV. As a precaution we recommend you contact your bank or card provider and follow their advice.
We are very sorry that this criminal activity has occurred. We’ll reimburse our customers who have suffered financial losses as a direct result of the theft of their payment card details. We’ll also offer credit rating monitoring, provided by specialists in the field, to any affected customer who is concerned about an impact to their credit rating.
Action you need to take
We take the protection of your personal information very seriously and would encourage you to review the advice below:
1. British Airways will never proactively contact you to request your personal or confidential information. If you ever receive an email or call, claiming to be from us, requesting this information, please report it to us straight away.
2. Review your credit card or bank account statements as soon as you can to check for unauthorised transactions or payments. If you suspect fraud, contact your bank immediately.
3. Do not respond to or follow any web links from untrusted sources.
Once again, we truly apologise for any worry and inconvenience this criminal activity has caused. Our contact numbers can be found at ba.com, or you can email our Data Protection Officer at DPO@ba.com.
Why is BA so Tone Deaf?
I’m no fan of British Airways; however I don’t rush to pick up a pitchfork when they do something wrong either. But many, if not most, customers take a dim view of major companies failing to take proper care of their financial details. Yet nearly two months after the initial breach was reported, we are still simply being told “deal with your bank” and “don’t click on phishing emails”.
I tend to pay for my BA flights and partner rewards with PayPal. I don’t know whether that’s better or worse, but at least I do know that criminals shouldn’t have my credit card details via this BA hack. Nonetheless, I’m sure that this is a nerve-wracking time for many BA customers, yet we still haven’t seen any signs of a goodwill gesture which could be something a simple as a 9,000 Avios bonus for booking your next flight. oh wait, IAG tried that and it didn’t work out so well for them 😉
Seriously though, BA really needs to consider doing something other than merely reminding us of the most basic habits of a modern internet user.
Has news of the breach caused you to book with a different airline? What do you think about BA’s reaction?