Some links to products and travel providers on this website will earn Traveling For Miles a commission which helps contribute to the running of the site – I’m very grateful to anyone who uses these links but their use is entirely optional. The compensation does not impact how and where products appear on this site and does not impact reviews that are published. For more details please see the advertising disclosure found at the bottom of every page.
I really need to start out this post with a disclaimer – I don’t generally read the Daily Mail, I don’t like the Daily Mail and I don’t agree most of what (I’m told) the Daily Mail writes…..but this is relevant news so I’m forced to quote from the
comic book newspaper.
According to the Daily Mail the Russian team who successfully hacked British Airways earlier this year may have made around $12m (£9.4m) selling the credit card information it obtained courtesy of BA’s ineptitude.
Apparently security experts have found the stolen information for sale on the Dark Web with prices ranging “between £6.94 and £38.58” (~$8.88 and ~$49.38).
244,000 British Airways customers were impacted by the hack and Magecart, the group believed to have carried out the attack, put the credit card details up for sale “a week after the hack, under adverts titled ‘CVV2 Dumps Update (high valid)’“.
According to sources, the hackers claim to have details of BA customers from a variety of countries including the UK, US, Canada, Mexico, Germany, Italy, Spain, France, Argentina, Brazil and China.
The prices charged for the information range as some credit card details are considered more valuable than others (presumably the hackers have a reason to believe that some cards are easier to use illegally than others).
British Airways is still stubbornly (and rather amazingly) sticking to its story that they “have had no verified cases of fraud since the incident“…..but you can ignore that.
As usual this is utter drivel coming from BA.
The fact that the credit card information has been put up for sale is a fraudulent act in itself and if you believe that not a single one of the 244,000 stolen credit card details has been used in a fraudulent transaction (or attempted transaction) then please get in touch…..I have a bridge in London I’d like to sell you (one careful owner).
At the time of the hack card issuers like American Express were saying that there was no need to call in to replace your credit cards as their systems were monitoring all transactions (for fraud) and consumers aren’t responsible for fraudulent activity.
That’s all true….but its still poor advice for most readers of this blog.
If you’re reading Traveling For Miles there’s a good chance that you travel (possibly quite a bit) and that’s why, at the time of the hack, I advised readers to ignore what the banks/card issuers were saying and to get their cards changed.
If you haven’t already followed that advice I suggest you consider doing so now.
My reasoning for that advice hasn’t changed:
Acting now means that things are in your hands and you can take measures to ensure you have other payment methods available to you while you wait for your new cards to arrive.
If you wait to see what happens and then get compromised you run the risk of leaving yourself stranded without an alternative method of payment and that’s not going to be a nice position to be in.
The fact is that the credit card information is out there for sale and there is absolutely no knowing if/when that information will be put to use.
Amex/Chase/Citi/whomever may well catch any fraudulent transactions but they’re also likely to shut your card down when that happens – do you want that to happen in the middle of a trip hundreds/thousands of miles from home?
I’ve changed both of the credit cards that I used on BA’s site and app during the period the airline was haemorrhaging information to the hackers and I’m very glad I did – at least I know that whatever is out there for sale with my name attached to it should be of little value now.