BA breach: what happened and is my data safe?

Rob Braileanu

 · 10/25/2018  · 10/25/2018

⚠️ Update - Thursday, 25th October 2018

On Thursday 25th October 2018, British Airways announced that an additional 185,000 passengers may have had details stolen as a result of a data breach.

The company confirmed that the incident affected customers who had made reward bookings using a payment card between 21 April and 28 July 2018.

Of the 185,000 affected customers, 77,000 may have had their names, addresses, email addresses, card numbers, expiry dates, and card verification value (CVV) numbers compromised during the breach. The details of the remaining 108,000 passengers did not include the three-digit security code or CVV.

British Airways also confirmed that all affected customers will be contacted via email before 5pm on Friday, according to a spokesperson for the airline.

Since the incident was first reported on the 6th of September, our teams have been monitoring activity closely and have confirmed there were no fraudulent transactions to date, as a result of the breach.

We continue to monitor all activity closely, and will reach out to any affected users directly via email, in the event that their details have been compromised. If you believe your data might be at risk as a result of the British Airways breach, you can reach out to the airline directly, or to our customer support agents via chat.


On Thursday evening, we were alerted that British Airways, an airline that many Revolut users regularly fly with, had been compromised in a data breach.

As soon as this incident was confirmed, we actively started an internal investigation to uncover how this data breach might affect our users. Before releasing a public statement, we wanted to gather all the facts in order to provide an accurate response to this crisis and address our community.

What are the facts?

At 18:31 BST, British Airways tweeted they are investigating the theft of customer data from their website and mobile app, as a matter of urgency. Linked to the tweet was the official statement published on the BA website which offered more details.

According to the statement, the breach affected customers who had made a booking or changed their booking via the BA website or mobile app between 22:58 BST August 21 2018 and 21:45 BST September 5 2018.

The data breach meant that affected customers may have had their names, email addresses, home addresses and card details compromised, but the breach did not affect their travel or passport details.

British Airways have appologised and confirmed they will refund all affected customers in full. The group also advised their customers to contact their bank or credit card company and follow their advice.

What did we do?

We learned about the incident from the media, shortly after 8 PM on Thursday and immediately started an internal investigation.

Our attention focused on finding the users who had made a transaction with British Airways using their Revolut cards, between August 21st and September 5th, 2018.

On Friday morning, it was concluded that 3000 users may have been affected by the data breach. We immediately took to social media to notify our community about the incident.

The first measure we took was to immediately block all online transactions on the affected cards, as well as to terminate all virtual cards that were used on the BA website or app during the affected timeframe.

This was to prevent potential fraudsters who could have gained access to our users' card details from using them to make fraudulent purchases. We then contacted those users whose cards were terminated via the in-app chat.

Meanwhile, our engineers were devising a solution that would allow affected users to order a replacement card free of charge, directly from the app. Our support agents were standing by to assist customers with their queries related to the ongoing incident.

At 8PM on Friday, we sent out a text message to all of the affected users, as well as an email alerting them of the ongoing issue and next steps.

Once these preventative measures were in place, we were ready to issue free replacement cards to all users who are at risk of having their data compromised as a result of the BA data breach.

Is there anything I need to do to protect myself?

We take data breaches very seriously. The recent BA incident only stresses the importance of protecting your data and privacy when shopping online.

Currently, there have not been any fraud attempts using any of the affected users' Revolut cards. These cards will continue to work until the replacements arrive in the next few days.

If you've used your Revolut card to make a purchase from the BA website or app between 21st August 2018 and 5th September 2018 and we haven’t contacted you, please freeze your card from the app by following the steps in the video below and get in touch with our support agents so we can replace your card as a precaution.

To further reduce the risk of online card fraud, we recommend you consider using disposable virtual card whenever you shop online. These are specially designed virtual cards which generate new card details after every transaction, giving you an extra layer of protection that traditional physical cards simply cannot offer.

We are continuing to closely monitor the activity of all of the cards which may have been compromised during this incident and will reach out to our users directly, should we see any suspicious activity.

If you have any questions about the incident or you believe that you may have been affected by the British Airways data breach, please reach out to our support team via the in-app chat or social media channels.