NCSC advice for British Airways customers

Created:  07 Sep 2018
Updated:  07 Sep 2018
NCSC building with logo
Advice for those affected by the British Airways data breach

Who is this guidance for?

Customers of British Airways (BA) who have used the company’s website or mobile application. The company has said a breach took place that put data at risk between 21 August and 5 September.


British Airways have reported that a data breach took place between 22:58 BST August 21 and 21:45 BST September 5, 2018. This is thought to have affected customers who made bookings on the BA website or app. They have reported that the compromised data includes names, email addresses and payment card information.

What should I do?

You can read BA’s latest information here.

If you used the BA website or mobile application to purchase services during the period BA say the data was at risk, we recommend that you contact your financial institution to see if there has been any irregular activity.

You should also monitor your financial accounts for any suspicious transactions.

Customers should ensure their passwords are secure. If you have been affected, you may want to consider changing passwords for key accounts such as banking. See Cyber Aware's advice on creating a good password that you can remember, or read the NCSC’s blog post for help on using a password manager.

In general, it is advised you make use of two-factor authentication (2FA) on important accounts – even SMS-based two-factor is better than none. The benefit of this is that even if someone does obtain an account password then they would still not be able to access due to this extra security measure

Now would also be a good time to check if your account has appeared in any other public data breaches. Visit, enter your email address and go from there.

What else do I need to know?

BA suspect the breach was a result of criminal activity and have notified the police and relevant authorities. You can keep track of the NCSC’s latest statement here.

Genuine financial institutions will not ask you to reply to an email with personal information, or details about your account. If you contact them, use a phone number/email address you have looked up yourself, rather than one sent to you in the email – it may be false. For further information, look at NCSC guidance on the phishing threat following data breaches.

Those affected should remain vigilant against suspicious phone calls or targeted emails. Further guidance on this and other cyber security matters can be found here on the NCSC website and Cyber Aware.

If members of the public think they have been a victim of online crime they can report a cyber incident using Action Fraud’s online fraud reporting tool anytime of the day or night or call 0300 123 2040. For further information visit

Was this guidance helpful?

We need your feedback to improve this content.

Yes No