BA customer data leak

[Aridane]

Just got the e mail below.

Increasingly getting emails saying my data may have been hacked but reassuring that no credit card / financial details obtained. This one seems different.

“Dear Customer,


From 22:58 BST 21 August 2018 until 21:45 BST 5 September 2018 inclusive, the personal and financial details of customers making or changing bookings at ba.com, and on our app were compromised. The stolen data did not include travel or passport information.

The breach has been resolved and our website is working normally.

We’re deeply sorry, but you may have been affected. We recommend that you contact your bank or credit card provider and follow their recommended advice.

We take the protection of your personal information very seriously. Please accept our deepest apologies for the worry and inconvenience that this criminal activity has caused.

Further information can be found at ba.com.

Yours sincerely”

[Aridane]

Was holding for 10 minutes for Barclaycard. When I got through, they actually asked if I was phoning about BA! Apparently BA had already notified them and there is no reason to cancel my card (although it will be closely monitored).

[Aridane]

Not that impressed with BA’s email. Info better on the website - www.britishairways.com/en-gb/information/incident/data-theft/latest-information. Still, I suppose the priority was to get some communication out to customers.

[ChardonnaysPrettySister]

I got the same.

[Aridane]

Have you contacted your bank?

[ChardonnaysPrettySister]

No, not yet.

[ShotsFired]

It didn't affect me till I just read this in the OP:

customers making or changing bookings at ba.com, and on our app...

But I have no communication from them, and the "changing" bit does't seem to be referred to on the webiste. Going to call Amex just in case now.

haveibeenpwned.com/ is a good site to check if you have been compromised.

[Kintan]

I got that email this morning too. Will contact my bank and see what they say. Very annoying!

[Aridane]

shots - just tried that site you linked. Seems my email address has been compromised 3 times - once via LinkedIn and twice via spam bots. For more info though it seems you have to,subscribe

[ShotsFired]

I don't remember subscribing aside from "joining" it to check my details - I'm not sure if you mean the same? I only get emails from them if I have been (or could have been?) affected though, which is reassuring.

If you don't want to join, you at least know to change your LI password etc.

[KitKat1985]

I had the same e-mail. Tried to get through to my bank twice this morning but just can't get through due to high call volume.

[LesLavandes]

I haven't received anything yet

[Aridane]

Les - it will only apply to you if you made or amended a booking during 21st August - 5th September. Otherwise you will not be affected and will not receive an email

[LarkDescending]

I posted about this last night. I am one of the customers who booked online in the relevant period, and got the email from BA at 3am. It is extraordinarily vague, and really adds nothing to what is in the news reports.

My bank says the information provided to it has also been in similarly vague terms as to precisely what data has been hacked. Their advice was to cancel the affected credit card immediately, and to look at CIFAS for help on avoiding identity fraud by whoever now has your info. Apparently (so the bank says) BA is supposed to be funding a credit check for affected customers, but I don’t know how to take advantage of that and there is no mention of it in BA’s email to me.

[LarkDescending]

BA’s CEO, Alex Cruz, told the Today programme that the compromised data for affected customers includes:

Name
Address
Email address
Credit/debit card number, expiry date and CVV number

[ShotsFired]

That is shockingly lax security to hold that information together, in accessible format.

[LarkDescending]

They are not allowed to store the CVV number at all (and insist they don’t) so they are saying the date must have been intercepted while being entered on the online form, rather than harvested from a database.

[LarkDescending]

*data

[Aridane]

Hi, Lark - sorry, I didn't see your earlier thread.

I thought the email was a bit cheeky not mentioning the credit check funding BA will be paying for - it's on their website but not on the email.

I emailed BA to say i) I expected further updates to be by email and not by me having to periodically check their website (which they are suggesting, and ii) to requested a funded credit reference check.

I saw there was a full page ad in today's Metro by BA about the hack - same wording pretty much as the email

[Aridane]

I also think it was a bit off that it was reported in the news before customers were notified...

[Aridane]

Lol at the briefest statement ever on the home page of the ICO's website -

ico.org.uk/about-the-ico/news-and-events/news-and-blogs/2018/09/ico-statement-in-response-to-british-airways-breach-announcement/












ICO statement in response to British Airways breach announcement

Share(Opens Share panel)








Date07 September 2018TypeStatement



An ICO spokesperson said:


“British Airways has made us aware of an incident and we are making enquiries.”

[ChardonnaysPrettySister]

My bank says the same, no need to cancel card, just watch.

I’m not convinced.

[KitKat1985]

My bank has also said just to keep watching my account, and that they won't be issuing new cards as standard. Don't get me wrong I didn't really want the hassle of getting my current card cancelled, but I'm not sure I feel comfortable knowing someone somewhere has my bank card details either, and that I could wake up one day to find my account has been cleared out.

[LarkDescending]

My card has been cancelled on the bank’s advice - they said that given that I was on notice that it had been compromised to this extent that was the sensible thing to do.

[LarkDescending]

The bank guy said to me - if you had left the card in a cafe you would cancel it, even though it might well be found and handed in by an honest person. In this case there is clearly malicious intent behind the breach, so all the more reason not to leave it vulnerable.

[KitKat1985]

Lark who do you bank with out of interest?
My bank (Natwest) are just advising a 'wait and see if you get hacked' approach which feels rather poor.