A LoyaltyLobby reader sent us a message via Facebook about an unfortunate incident that appears to be due to British Airways data hack that leaked credit card numbers with CVVs of close to 400,000 passengers that had purchased tickets from the airline.
Here’s the message from the reader:
I just read your blog about there’s another victim had suffered from the BA’s Data Theft & Card Compromised case. I believe you maybe more interested on mine.
On 21st Sept this year, I received 4 sms sent from my bank that there were forex transactions had debit my credit card which had used for award booking on ba.com on 29th Aug. The fraud amounts are CHF6,230, CHF4,900, EUR4,794 and USD3,408.12, totally eqv to HKD165,205 (!?).
I immediately called my bank HSBC and see what I could do, HSBC claimed that all the amounts were already properly settled between banks as every single information were correctly input (including CVV!?), therefore deemed no fraud. I did request for dispute/chargeback, but as it’s so uncommon in Hong Kong, customer rights protection here is weak (comparing with the full protection in US/EU), no agreement on the waiver of amounts could be reached apart from inactivate that card till today.
I then quite sure it must due to BA’s leakage as I only used that card (HSBC Premier master, only used for online airticket booking) on ba.com for the past three months. I called BA’s HK office, they played dumb and claimed everything would be handled by their London office, and “suggesting me to contact my bank” for further help (1/3).
Weeks later after I have filed an online complaint plus a twit, I received an email that requesting me to provide booking details, card info and evidents of the fradulent charges… so on, and “suggesting me should contact my bank for further help” (2/3). I did promptly provide everything they requested, together with an online credit card statement as evident.
Three weeks later, I received another email from BA, apart from hyprocretically emphasising “It is important to us that you’re not left out of pocket as a consequence of the data theft so, if you have suffered any direct financial loss that has not been covered by your bank or card provider or relevant insurance policy” twice, and again requested the same information as previous email, AND “suggesting me to contact my bank for any further help” (3/3). I then again provided all information needed, plus scanned copy of my credit card statement in paper form which purposely requested from HSBC as stronger evident.
And guess what? Last week I received another email as follows:-
“Dear Mr NAME REMOVED Thanks for coming back to us about the fraudulent activity on your account.
As you’ve advised that HSBC won’t return the monies taken from your account, please provide us with a letter from HSBC confirming they won’t reimburse you for the charges and the reason why. Please also send us a signed letter of authority allowing us to speak with HSBC about your case. You can send these documents to email@example.com.” Despite the frustration about such ridiculous requests, I stupidly contacted HSBC again. However, as previously HSBC clearly stated out their position that all the amounts were deemed properly settled with no fraud, they are not obligated to provide any letter to explain “why they won’t reimburse” the said amounts. I was even mocked by the telephone agent that “Sir, we don’t explain why you have to pay for supermarket expenses”…
Moreover, there are no authorisation letter attached by BA for me to sign! No to mention all correspondents have to go through their back-to-80s online portal instead of simply click the reply button, the portal comes with no document attachment function (which means I need to go back to outlook and sent the attachment separetly to the designated email address solely for attachements!).
Obviously BA just want to kick the ball to the banks/credit card companies (suggesting me to contact my bank everytime!), instead of I would not out of pocket as a consequence of the data theft and ensure I would be reimbursed as swiftly as possible as promised by BA. Now I have over ten thousand pounds debts sitting in my account.
What should I do next?
I am sure that some readers are wondering why HSBC in Hong Kong is refusing to dispute these transactions? The dispute process varies from country to country and is not as easy as many readers in the United States are used to. In some countries the credit card issuers may require you to get an affidavit or police report before they entertain an idea of a dispute. I am not familiar (yet) what is the process in the Hong Kong.
There appears to be Consumer Council in Hong Kong. I would contact them for an advice. Because the amount is quite high $21K, I would retain and lawyer to draft a letter to HSBC and British Airways office in Hong Kong asking for a resolution.
There is no reason why HSBC couldn’t dispute these transactions that were not authorized. The merchant needs to then prove that the card was present or where the goods were shipped.
Remember that British Airways continues to claim that they are not aware of any fraud derived from their credit card hack, although the numbers are on sale in the dark web (read more here).
It is very unfortunate that innocent third parties that have purchased tickets from BA need to deal with issues such as the reader here because the airline basically left their front door open and allowed all these information to be stolen.
I hope that the reader is able to resolve the issue with HSBC and British Airways. The first course of action is to get HSBC to dispute these transactions.
There is the BA Class Action lawsuit that SPG Law is preparing. You can sign up for it here.