A LoyaltyLobby reader sent us a message via Facebook about an unfortunate incident that appears to be due to British Airways data hack that leaked credit card numbers with CVVs of close to 400,000 passengers that had purchased tickets from the airline.
Remember that you can always email us, send a message via Facebook or use Twitter and include photos too. We’ll try to cover Reader Questions & Comments here several times a week.
Here’s the message from the reader:
I just read your blog about there’s another victim had suffered from the BA’s Data Theft & Card Compromised case. I believe you maybe more interested on mine.
On 21st Sept this year, I received 4 sms sent from my bank that there were forex transactions had debit my credit card which had used for award booking on ba.com on 29th Aug. The fraud amounts are CHF6,230, CHF4,900, EUR4,794 and USD3,408.12, totally eqv to HKD165,205 (!?).
I immediately called my bank HSBC and see what I could do, HSBC claimed that all the amounts were already properly settled between banks as every single information were correctly input (including CVV!?), therefore deemed no fraud. I did request for dispute/chargeback, but as it’s so uncommon in Hong Kong, customer rights protection here is weak (comparing with the full protection in US/EU), no agreement on the waiver of amounts could be reached apart from inactivate that card till today.
I then quite sure it must due to BA’s leakage as I only used that card (HSBC Premier master, only used for online airticket booking) on ba.com for the past three months. I called BA’s HK office, they played dumb and claimed everything would be handled by their London office, and “suggesting me to contact my bank” for further help (1/3).
Weeks later after I have filed an online complaint plus a twit, I received an email that requesting me to provide booking details, card info and evidents of the fradulent charges… so on, and “suggesting me should contact my bank for further help” (2/3). I did promptly provide everything they requested, together with an online credit card statement as evident.
Three weeks later, I received another email from BA, apart from hyprocretically emphasising “It is important to us that you’re not left out of pocket as a consequence of the data theft so, if you have suffered any direct financial loss that has not been covered by your bank or card provider or relevant insurance policy” twice, and again requested the same information as previous email, AND “suggesting me to contact my bank for any further help” (3/3). I then again provided all information needed, plus scanned copy of my credit card statement in paper form which purposely requested from HSBC as stronger evident.
And guess what? Last week I received another email as follows:-
“Dear Mr NAME REMOVED Thanks for coming back to us about the fraudulent activity on your account.
As you’ve advised that HSBC won’t return the monies taken from your account, please provide us with a letter from HSBC confirming they won’t reimburse you for the charges and the reason why. Please also send us a signed letter of authority allowing us to speak with HSBC about your case. You can send these documents to cr.attachments@ba.com.” Despite the frustration about such ridiculous requests, I stupidly contacted HSBC again. However, as previously HSBC clearly stated out their position that all the amounts were deemed properly settled with no fraud, they are not obligated to provide any letter to explain “why they won’t reimburse” the said amounts. I was even mocked by the telephone agent that “Sir, we don’t explain why you have to pay for supermarket expenses”…
Moreover, there are no authorisation letter attached by BA for me to sign! No to mention all correspondents have to go through their back-to-80s online portal instead of simply click the reply button, the portal comes with no document attachment function (which means I need to go back to outlook and sent the attachment separetly to the designated email address solely for attachements!).
Obviously BA just want to kick the ball to the banks/credit card companies (suggesting me to contact my bank everytime!), instead of I would not out of pocket as a consequence of the data theft and ensure I would be reimbursed as swiftly as possible as promised by BA. Now I have over ten thousand pounds debts sitting in my account.
What should I do next?
I am sure that some readers are wondering why HSBC in Hong Kong is refusing to dispute these transactions? The dispute process varies from country to country and is not as easy as many readers in the United States are used to. In some countries the credit card issuers may require you to get an affidavit or police report before they entertain an idea of a dispute. I am not familiar (yet) what is the process in the Hong Kong.
There appears to be Consumer Council in Hong Kong. I would contact them for an advice. Because the amount is quite high $21K, I would retain and lawyer to draft a letter to HSBC and British Airways office in Hong Kong asking for a resolution.
There is no reason why HSBC couldn’t dispute these transactions that were not authorized. The merchant needs to then prove that the card was present or where the goods were shipped.
Conclusion
Remember that British Airways continues to claim that they are not aware of any fraud derived from their credit card hack, although the numbers are on sale in the dark web (read more here).
It is very unfortunate that innocent third parties that have purchased tickets from BA need to deal with issues such as the reader here because the airline basically left their front door open and allowed all these information to be stolen.
I hope that the reader is able to resolve the issue with HSBC and British Airways. The first course of action is to get HSBC to dispute these transactions.
There is the BA Class Action lawsuit that SPG Law is preparing. You can sign up for it here.
i would have thought that presentation of the evidence of fraudulent transactions to the court, especially as the card had not been used much previously, should be close to enough? It seems a “red herring” that HSBC won’t provide the letter. The letter is only to say that HSBC won’t reimburse. However it’s BA, or their credit card company, or BA’s insurers, that must reimburse either HSBC (for the customer), or the customer direct. If a court finds more than 50% likely (in UK it’s 50%) that it was, for example, British Airways’s negligence that led to the theft.
I’d join the class action but of all the cases mentioned, this gentleman in Hong Kong seems to have the most obviously provable case.
If the amount stolen is not more than 10,000 UK pounds, or if the amount claimed is not more than 10,000 UK pounds (hint! could probably claim for just one of the fraudulent transactions, then, when proven, likely the rest will get paid automatically), you can use the official British government website moneyclaim dot gov dot uk to place a court claim. Fees are very reasonable and claimant is not expected to hire a lawyer for this level of claim. Just one case won like this, would probably accelerate settlement of all. Up to you if you can try it. Ensure you are naming the counterparty’s official name on your receipt for the transaction you paid, correctly, on the website when you create and send the claim.
If your evidence is as strong as it sounds you could just get results and it’s cheap to try
Boy am I ever happy that I do not have an HSBC credit card. My AMEX was hacked on Nov 10 and the second charge of $1500 was detected by the AMEX fraud department who immediately contacted me about the legitimacy of the charge. I denied it almost immediately (I was in the air and only received the email once on the ground) and then my card was cancelled. I still do not have a replacement card and that has been a problem but at least AMEX are very aware of the problem. Once a card is blocked I no longer have access to my account on line so cannot ensure that there were no other items that were unauthorized (this is a real problem here in Canada with the ongoing mail strike) so it remains to be seen if there will be a problem with other unauthorized expenditures.
My sympathy goes out to (Name Removed) and I hope she/he gets satisfaction.
I am really upset with BA and how they are handling this issue. My expenditure with them was only $19 for taxes on a small flight reward and it has been a real pain in the patooie having my travel card cancelled without replacement at the start of a two week holiday.
Reason code 4837 https://www.mastercard.us/content/dam/mccom/global/documents/chargeback-guide.pdf chargeback exists in HK https://www.hsbc.com.hk/pws/Components/personal/assets/pdf/form-centre/Chargeback.pdf .I’ve just done a suspected BA-related Hostelworld chargeback with HSBC HK over the phone last month.
And we have a proactive regulator (the Hong Kong Monetary Authority) to make sure HK banks comply with any applicable regulations https://www.hkma.gov.hk/eng/key-functions/banking-stability/complaints-about-banks.shtml even if banks themselves have (not infrequent) service failures. You have to present a prima facie case first though.
OP has until 19 January 2019 to dispute per Chargeback Guide. I would do it 30 days earlier, using above HSBC form and by registered mail, to create a prima facie case you disputed, and HSBC had adequate time to deal with it.
My amounts are much smaller (EUR 30 and EUR 10)
Is OP a Cantonese speaker? I found HSBC more challenged than Chinese banks in HK when it comes to English callers. Plus for “for your security” purposes, they disabled faxes (which is great for dealing with customer complaints in HK cos you can attach your faxed complaint as part of your HKMA on-complaint) and unsecured emails.
File a complain with HKMA, which regulates all banking activities in HK. I doubt this is a consumer protection issue in HK, but more about the incompetency of HSBC’s call centers in China, which lacks common sense. HKMA will refer your complain for HSBC to respond first, but it will be answered by a more senior team in HK, which is more reasonable and helpful.
Thanks for your advise! I just tried and it did helped. at least I dont need to settle that ten thousand pounds debt, for the moment.
Screw HSBC, sue the bastards at BA
HK residents don’t have ready access to MCOL.
We also have to prove info compromised by BA.