British Airways Avios Restored After Account Audits

On Friday I posted about how without any communication, British Airways locked thousands of Executive Club members out of their accounts. As it turns out, it seems the accounts were shut down for anyone that uses a third party service (like Award Wallet) to access their account balances. I think our community is heavily represented on that front. ­čśë

When you tried to log into your Executive Club account you’d simply get a message saying:

We are not able to recognise the membership number that you have supplied. Please check and re-enter.

Avios-1

You could log into your account again after resetting your password, though all Avios were missing, which made many members panic.

Avios-4

British Airways’ communication on this issue was abysmal, in my opinion. Hours after shutting down accounts they emailed members to inform them that their accounts had been locked down and it wouldn’t be possible to redeem Avios online for an unspecified amount of time:

We have now locked down your online account to protect it from further access. As part of the lock-down process we have also changed your password and you will need to reset it before you are able to use your account.

For a short period of time, as a precaution, we have also suspended the use of Avios on your account. We will let you know when this suspension period is over.

It looks like this has finally been resolved.

Avios

Avios were restored to my account this morning, and I received the following email from British Airways Executive Club this afternoon:

Following our recent communication about some unauthorised activity in relation to your Executive Club account, we are pleased to inform you that we have completed our internal audit of your account.

We are continuing to investigate this incident, which we understand was the result of a third party using information obtained elsewhere on the internet to gain access to Executive Club accounts.

At this stage we are not aware of any access to any subsequent information pages within your account, including your flight history or payment card details.

We also do not believe, at this stage, that any Avios have been removed from your account, so we have now lifted the precautionary suspension on your account and you are free to use it as you wish.

However, if you haven’t yet changed your password as a result of last Friday’s email from British┬áAirways, please visit the British┬áAirways website and follow the “Forgotten PIN/Password?” link, which can be found in the top right hand corner of our main home page.

We would recommend that you continue to be vigilant about any unusual or suspicious use of your personal data.

If you use the same login details for your Executive Club account as you do for your online accounts with any other organisations, we would also recommend that you change the passwords for these accounts.

We are sorry for the concern and inconvenience this matter has caused you and would like to reassure you that we are continuing to take this incident seriously.

I realize account security is a hot topic nowadays as there have been tons of data breaches. Though I find this particular incident puzzling.

British Airways is acting as if any third party access to an account seemed like a hack. Were they not previously aware of AwardWallet, or what? Because based on what they’re saying, it seems the cause of their concern was third party account access, and surely that’s not something that’s new to them.

Beyond that, if they were going to temporarily shut down accounts then it seems like they should do that (with an error message reflecting what’s going on) rather than still letting you log-in but seeing all your Avios missing.

Bottom line

I’m happy this was ultimately resolved reasonably quickly, but British Airways, next time maybe:

  • Communicate with members better
  • Don’t panic when you learn about this thing called AwardWallet ­čśë

How do you feel about how BA handled the supposed Executive Club account “hacks?”

Comments

  1. BA’s handling of this has been abysmal, particularly their piss-poor communication regarding it. They’ve told me for TWO DAYS I will be getting an e-mail from them about it, and nada. Furthermore, I’ve tried to reset my password around 6 or 7 times now (I’ve lost count), and I’m still locked out. Pathetic. I’m getting more info from FT than I am from them.

  2. Still locked out and have heard nothing from BA . I’m not worried about losing miles but an update would be nice .

  3. Aside from the fact that no one actually lost any miles in this issue (nobody that I know of), I do think it inconvenienced people enough and stressed them out to the extent that would make some extra miles a logical move.

  4. i never received any communication from BA about this… i was able to reset my password and my miles are back as of this morning… but they handled the situation terribly.

  5. The handling of this affair has been abysmal. I’ve never received any emails from them (either about audit or about return of the Avios). I’m starting to suspect they didn’t send emails to most members because they wanted to keep this under the radar.

    Furthermore, I believe people on FT had posted that their accounts were locked even if they weren’t using AW or other services.

    FYI, my Avios are also back today but it’s really weird to have to find out about these events from a blog instead from BA themselves.

  6. “We are continuing to investigate this incident, which we understand was the result of a third party using information obtained elsewhere on the internet to gain access to Executive Club accounts.”

    Award Wallet, anyone?

    And the communication on this screams rank amateur. I never even knew I was impacted until I got my weekly activity summary email from Award Wallet showing my balance reducing to to zero. I already knew what was going on because of OMaaT (Thanks Ben!) so I didn’t care, but I just re-set my password (Back to my SAME OLD PASSWORD) and the (useless) Avios are back.

    I have received nothing in the way of communication from BA on any of this.

  7. I didn’t get any email from BA. I used Password reset link and it worked second time. I got my Avios back today morning, again no email from BA.

  8. @Ivan Y – “IÔÇÖm starting to suspect they didnÔÇÖt send emails to most members because they wanted to keep this under the radar.”

    I’m normally not a conspiracy theorist, but at this point, I’d be inclined to agree.

    @TravelinWilly – “Award Wallet, anyone?”

    AW says they weren’t hacked. Furthermore, if they were, why is this problem only affecting BA?

  9. Still showing zero Avios (should be ~100k), and I still have not received a single communication from BA.

  10. @Brian L. – Sorry, I wasn’t clear. I was suggesting that a system like Award Wallet (“…third party using information…”) may have triggered BA’s security software, not that AW may have been hacked.

  11. I am still locked out. Haven’t reset my password yet. Have had zero communication from British Airways. If I wasn’t a reader of this or other travel blogs, I would probably be freaked out and have no idea what to do. Bad communication by BA.

  12. FYI – I tried to reset my password using a special character (i.e. * # @, etc) and it would not let me until I picked a password with ONLY letters and numbers in it.

  13. OK, so in regards to “As it turns out, it seems the accounts were shut down for anyone that uses a third party service (like Award Wallet) to access their account balances.” I wanted to address this. Here is what BA is saying:

    “This appears to have been the result of a third party using information obtained elsewhere on the internet, via an automated process, to try to gain access to your Executive Club account.

    We understand this was login information relating to a different online service which you may have also used to access your Executive Club account.”

    So, BA is not blaming third party aggregators like AwardWallet at all, what they are saying is this: you (Mr. Customer) used the same credentials you use on http://www.britishairways.com/ on some other website (not an aggregator website but *any* other website where login credentials are required to authenticate). That other website was hacked and your username / password combination was compromised. Then the hackers tried all those hacked accounts against http://www.britishairways.com/ and some of them worked – this is how they got in. So they are not blaming the aggregators in this case at all as far as I can see.

    Cheers,
    -Alexi

  14. I am happy BA proactively protected our accounts when they discovered a problem. Resetting the password took less than a minute.

    I would rather be slightly inconvenienced, by the lockdown, than have to prove to them that my points were stolen.

    I am told by someone who is an IT security expert, not a member of our hobby, that it is believed in the IT community that AW was in fact hacked regardless of what we are told otherwise.

    I have personally had problems the AW browser extension, it more or less crashed my entire computer, but the person who answers their emails insists it is impossible, yet removing the extension cleared up the problem immediately.

  15. @david – The problem isn’t BA protecting their accounts, it’s their almost complete lack of any kind of substantive, meaningful communication.

  16. What’s with the AwardWallet blame? I’ve not seen BA point the finger at any specific 3rd party site. There are many others, TripIt, Yodlee, Mileblaster, Milewise, Pointhub, and others. I believe that AwardWallet investigated and responded promptly after this BA issue was discovered that they were not responsible.

  17. Is there anyone who does not use AwardWallet who had their account frozen nonetheless? I don’t use AW with BA.com and did not have my account frozen.

    The language “obtained elsewhere on the internet” does not support the theory it was AW. Also, “some unauthorised activity” does not apply here since you authorized AW to use your credentials. BA may have a specific policy that third parties are not to access your account on your behalf, which could then be considered unauthorized. But if this were the trigger, they should have blocked AW long ago.

  18. I don’t use award wallet and I was affected by this. Ended up doing my booking this weekend with Delta and the short haul flight was 32,500 points instead of the 9,000 it would have been on a BA American redemption. *sad trombone* The flight is for so today I didn’t have the luxury of waiting until BA figured things out so this breach did materially cost me a bunch of miles. Again, I get security breaches (I’m a sysadmin myself) so it’s not *what* happened, but how they chose to respond that’s unprofessional to me. I still haven’t gotten any email at all from them. And it was 4 full days after my account went offline that their website first started showing any sort of indicator that the problem might be on their end (coincidentally, Reuters picked the story up this morning)

  19. All is (finally) back to normal for me. This has severely shaken the previous high regard I had for BA. I am going to try to calm down before I make any big decisions about my involvement with BA/BAEC, but the pathetic way they handled this is going to loom large in any decision I make in that regard.

  20. Dreadful comms from BA on this issue. They also managed to make the email they sent members about it sound like a phishing email scam!

    AwardWallet definitely weren’t to blame but the email made it almost sound like they were. Have read of plenty of folk who don’t use AW, use a unique password for the BA site and still had their accounts locked, so something more is going on.

  21. yes abysmal is the word. I never received any communication from BA and if I hadn’t read some travel blogs I would not have known why all my avois disappeared. I emailed them before I read the blog and never got back anything but an automatic email confirmation. Still haven’t heard back

  22. I have still received no communication from BA in any way. The reset password email never came, even though I tried multiple times. Award Wallet appears to show a refund of *some* points, but not all – only the recent transfer from Amex, not the points I already had in my account before that. But I can’t login to check. Totally pissed about this whole thing and how badly it’s been handled.

Leave a Reply

Your email address will not be published. Required fields are marked *