Have You Been Caught Up in the BA Data Hack? (Which Now Appears Much Larger)

Some links to products and partners on this website will earn an affiliate commission.

On 6 September, BA finally admitted that it had been subject to a massive data breach, but estimated that it impacted customers who booked between 21 August and 5 September.

Unfortunately that seems to have been optimistic, as emails were sent out last night lengthening the period of risk to 21 April and 28 July 2018. Excuse me whilst I spit out my coffee, as this would mean that hackers had been playing around inside BA’s systems UNDETECTED for 4-5 months!

Here’s the full e-mail.

Dear Customer,

On 6 September 2018, we regrettably announced that we were the target of a criminal data theft involving the personal and financial details of customers making or changing bookings at ba.com, or via the British Airways app.

Since then we’ve been conducting a thorough investigation with specialist cyber forensic investigators, liaising with the National Crime Agency. As a result of the investigation I am writing to let you know that you may have been affected by the data theft, when you made a reward booking between 21 April and 28 July 2018.

While we do not have conclusive evidence that the data was removed from British Airways’ systems, it is possible your personal data may have been compromised. This includes your full name, billing address, email address and payment card number, expiry date and CVV. As a precaution we recommend you contact your bank or card provider and follow their advice.

We are very sorry that this criminal activity has occurred. We’ll reimburse our customers who have suffered financial losses as a direct result of the theft of their payment card details. We’ll also offer credit rating monitoring, provided by specialists in the field, to any affected customer who is concerned about an impact to their credit rating.


Action you need to take
We take the protection of your personal information very seriously and would encourage you to review the advice below:

1. British Airways will never proactively contact you to request your personal or confidential information. If you ever receive an email or call, claiming to be from us, requesting this information, please report it to us straight away.
2. Review your credit card or bank account statements as soon as you can to check for unauthorised transactions or payments. If you suspect fraud, contact your bank immediately.
3. Do not respond to or follow any web links from untrusted sources.


Once again, we truly apologise for any worry and inconvenience this criminal activity has caused. Our contact numbers can be found at ba.com, or you can email our Data Protection Officer at [email protected]

Why is BA so Tone Deaf?

I’m no fan of British Airways; however I don’t rush to pick up a pitchfork when they do something wrong either. But many, if not most, customers take a dim view of major companies failing to take proper care of their financial details. Yet nearly two months after the initial breach was reported, we are still simply being told “deal with your bank” and “don’t click on phishing emails”.

I tend to pay for my BA flights and partner rewards with PayPal. I don’t know whether that’s better or worse, but at least I do know that criminals shouldn’t have my credit card details via this BA hack. Nonetheless, I’m sure that this is a nerve-wracking time for many BA customers, yet we still haven’t seen any signs of a goodwill gesture which could be something a simple as a 9,000 Avios bonus for booking your next flight. oh wait, IAG tried that and it didn’t work out so well for them 😉

Seriously though, BA really needs to consider doing something other than merely reminding us of the most basic habits of a modern internet user.

Has news of the breach caused you to book with a different airline? What do you think about BA’s reaction?


  1. Andrew H says

    After seeing a statement from BA saying ‘if you haven’t heard from us by 5pm, you’re OK’ I got said email at 9pm 🙁

    No sign of unauthorised access to my account yet, but I guess I’ll need a new card 🙁

    • Craig Sowerby says

      I would have thought that you’d be fine, since so many months have passed. But what do I know about actual criminal hacking and selling of info on the dark web! 😉

      It’s certainly better to request the new card now. More than once I’ve been travelling and had my card cancelled for “suspected fraud”. That sort of thing can really leave you in the lurch since your bank won’t send a card anywhere other than your registered address…

      • Tim says

        Exactly. And get the credit card companies to collectively invoice BA. And get the government to fine BA the full 3% in this instance. And let that fine payment be split equally amongst the affected customers. And then…. sorry, just woke up from a dream.

    • Mr Sean Donaghy says

      I also got an email from BA about a free year membership to Experian. After calling up to check if it was legit I sign up and now can see a full credit report and alerts you for any activity.

      Unfortunately, my details and two cards were used one Amex and other Lloyds. I called both straight away and they investigated and refunded within 2days (Amex actually blocked the transaction and waited for me to confirm if it was me or not.

      • Sharat says

        Did you get the BA email a few months ago when the first attack was notified?
        I only got one today morning and it’s about a reward booking only.

  2. Sharat says

    I have got the Experian offer too , although I already have it.
    I got the Reward booking email , some of my other bookings were done on phone and some on internet.
    Nothing unusual on my Amex card yet, Amex has also sent me an email saying they are monitoring it for any unusual activity and the card is safe to use.

Leave a Reply

Your email address will not be published. Required fields are marked *