BA hack – what you need to do

Font size


The airline BA has confirmed that financial and personal data was stolen from 380,000 customers in a data breach. It has said it’s contacted all those affected and will make sure they’re compensated. Find out what you need to do.

BA hack – what you need to do

The BA hack affects people who made a booking or made changes to their booking online via BA’s website or using BA’s app between:

  • 22.58 pm on August 21st and
  • 21.45 on September 5th inclusive.

SAVVY TIP: BA says this doesn’t affect people who logged in to check in, update passenger information and/or print out boarding passes. It also doesn’t affect people who booked via a travel agent. Executive Club accounts were not affected.

BA has emailed the customers affected, although some customers received emails with a subject header and no text. BA says they’ve been contacted again.

Contact your bank or card provider

If you made or changed a booking between the dates I’ve mentioned, you should contact the bank or provider of the card you made the booking with. Some customers say they have already had money stolen from the cards they used for the booking. Your bank or card provider will tell you what to do with the card and how to protect yourself from fraud in the future.

SAVVY TIP: BA says that if you see any suspicious activity on your account, you should also contact it. It has said it will compensate everyone who’s affected, although it says it hasn’t yet decided exactly how it will do that. It has also said that it will offer a 12 month credit monitoring service for free to anyone who’s concerned about fraud and the effect on their credit rating.

Change your BA password

You should also change your BA password. If you used your BA password on any other accounts, you should change that password as well.

What data was stolen?

All the personal and financial information you submitted or changed was stolen. BA says that travel details and passport information was not stolen. Information that was accessed includes:

  • Names, addresses and email addresses,
  • Credit card numbers, expiry dates and the three-digit code on the back,
  • Telephone numbers.

What will your bank or card provider do?

They will tell you what to do next. BA has already said it will compensate all customers who’ve lost out.  By law, you must be compensated if money was fraudulently stolen from a debit or credit card.

Some of the online only banks, such as Monzo and Starling Bank, say they’ve already ordered replacement cards for all customers who’ve been affected by the BA hack, and that they’ve emailed them to say a new card is on its way. I’ve contacted several of the major banks and card providers to find out what they’re doing.

Barclaycard told me:

“We are monitoring accounts that may have been affected and will take action to keep these customers safe. We will be issuing new cards to these customers to minimise the risk to their accounts.We will always take action to keep our customers protected and we would encourage anyone to contact us immediately if they notice anything suspicious on their account.”

UK Finance, which represents the card providers, has this advice:

  • Check your bank and credit card statements regularly and if you spot any unfamiliar transactions, contact your bank or card company immediately. You will get a refund of any money that’s been taken fraudulently on your debit or credit card. 
  • Watch out because criminals may use the news of the data breach as an opportunity to trick you into revealing personal or financial information.
  • Be aware that criminals will often use the publicity around data breaches as a chance to pose as a genuine organisation, including banks, police officers, retailers and telephone or utility companies. Often the criminal will pretend to be from the company, such as British Airways, or claim they are dealing with an issue resulting from the data breach.

SAVVY TIP: Fraudulent emails, phone calls or text messages often claim there has been fraud on an account or the customer needs to “verify” or “update” details. The communication often suggests the request is urgent or asks for remote access to your computer. Using the data breach as a cover story, the criminal will then attempt to get the recipient to disclose personal or financial information, which they will then use for their own fraudulent purposes.

Useful links:
You can find the latest information about the hack on the BA website.

Related articles: 

Contactless cards – how to avoid contactless card fraud

Bank frauds and scams to avoid – how to reduce the risks of being a fraud victim

The SavvyWoman Podcast 13; Fraud and how to avoid it

SavvyWoman email newsletters: If you found this information useful why not sign up now to receive free fortnightly email newsletters with money saving tips and help? You can sign up at the top of any page on the website and your details won’t be passed to any other company for marketing purposes.