Banks replacing cards after hackers steal details of 380,000 BA flight transactions
Barclays and Santander are automatically replacing cards to customers who booked British Airways (BA) flights after the airline was hacked.
Smaller card providers including Monzo, Curve and Starling also plan to issue replacement cards automatically.
But others like HSBC, Lloyds, Nationwide and NatWest have said they will only cancel credit or debit cards that have been compromised if customers specifically request it or they detect suspicious activity.
UK challenger bank Starling tweeted that replacement debit cards have been ordered for all their customers who used their cards to pay BA between 21 August and 5 September and that affected customers would receive an email. Its rival Revolut also tweeted that a small number of users might have been affected and these users would be offered a free replacement card.
The data breach took place over two weeks while BA failed to notice, and involved the details of around 380,000 card transactions. The information gleaned included the customers’ names, their 16-digit card numbers and expiry dates as well as the three-digit security codes on the backs of cards.
BA has confirmed the “sophisticated, malicious criminal attack” breached its systems between 10:58 on 21 August and 9:45 Wednesday 5 September. The data taken was for people who in that period had bought tickets online via the airline’s website or mobile app. The airline says no customers would be left out of pocket, although all claims would have to be made via a customer’s bank.
BA customers are now suing the airline, which is facing a £500 million group action suit over claims it failed to take into consideration the “inconvenience, distress and misuse” of the stolen data. SPG Law says customers could receive as much as £1,250 each.
BA is adamant that people who booked flights via third-party travel websites like Expedia or lastminute.com would not have been affected. The airline also underlined that “no passport or travel details” were hacked.
This latest breach is believed to have been the first time where all the details required to make online purchases have been stolen. Earlier breaches, like at TalkTalk in both 2015 and 2017, affected only a small proportion who had bank account and sort code details stolen, which is not enough to make purchases.
“Card not present” frauds, where fraudsters are able to make payments or purchases virtually – on the phone, by mail or online – accounts for the lion’s share of fraud losses in the UK. Last year, £566 million was lost to scams, of which £409 million was down to the “card not present” category, according to UK Finance, the trade body that represents nearly 300 of the leading finance firms and collates the data.
Barclays points out that people who use mobile banking can limit or block transactions for affected cards or request for them to be cancelled at any time. Old cards are automatically blocked once new ones are used by customers. Santander is issuing replacement cards in the next few days.
BA has emailed customers who are affected urging them to contact their bank for further guidance. UK Finance has also warned everyone to be vigilant for fraudsters trying to trick them into revealing more by posing as BA staff. UK Finance reiterated that no banks would ever ask for any customer’s PIN or complete password, or ask for money to be moved to another account.
Banks are also urging those affected to monitor their credit reports, warning that it is possible the hackers could use the stolen data to obtain credit in the names of victims.
If this breach has made you consider changing banks or reviewing your credit card arrangements you may find our credit card comparison table useful, along with the information we provide on the growing number of digital banks.