Someone Is Hacking My Mileage Account

The mystery of my British Airways Executive Club account deepens. And I have a theory.

My bizarre August British Airways account hack

In August I posted about some weird activity with my British Airways Executive Club account. Specifically, I was emailed a rejection for a status match request I had made, as well as a rejection for missing mileage credit I had requested with Executive Club.

There’s only one small catch — I hadn’t requested the missing mileage credit or the status match.

I’ve certainly had readers do malicious things, though I’m not sure what exactly this would have accomplished. Them trying to get me BA Gold status seems like a favor more than anything. I didn’t investigate much further, since I assumed it was a one-off and just wasn’t worth investigating too deeply, given that I didn’t get credited miles or status I didn’t deserve, or anything.

My even more bizarre British Airways account hack

Well, several months later this just got weirder. A lot weirder.

Yesterday I received four emails from British Airways Executive Club confirming I had requested missing mileage credit for two airberlin flights and two Qatar Airways flights:

BA-Avios

The emails had indicated that the requests were being passed on to the airlines operating the flights, and that I’d receive confirmation of missing mileage credit within eight weeks.

Executive-Club

Now I didn’t actually request that mileage credit, given that two of those flights were award flights and two of them were credited to American AAdvantage (even if it was a real pain to get them credited).

It gets much weirder.

Shortly thereafter I received the following email from British Airways:

Thank you for requesting Avios and Tier Points for your recent flights with us and our partners.

I have credited your missing flights with us and submitted your claim for your Qatar Airways and airberlin flights for them to check and approve.

You can keep track of your claim by logging in to your account on ba.com and clicking on ‘Claim missing Avios’ then ‘Where is my BA partner claim?’.

If they accept your claim, we will usually credit your account within 28 business days. If your claim is unsuccessful we will contact you to let you know if we need any more information, or if your flight is not eligible to earn Avios or Tier Points.

Remember – if you flew with airberlin on a JustFly fare, this does not earn Avios or Tier Points, so we will be unable to credit your account.

When you fly with airberlin or Niki on short and mediumhaul routes with no Business Class cabin, only some fares will earn Avios. On FlyFlex+ fares you will earn 100% of the miles flown, on FlyClassic fares you will earn 50% of the miles flown, on FlyDeal fares you will earn 25% of the miles flown, while on JustFly fares you will not earn Avios or Tier Points. Flights with these fares will credit to your account as Y, M, P and A class respectively, even if your ticket shows a different class which would earn Avios on longhaul or codeshare flights. On codeshare or longhaul flights you will earn Avios and Tier Points according to the class shown on your ticket. You can see the list of classes and fares which do earn Avios on ba.com.

I have checked your booking and can see your Alaska Airlines flights were paid for using Avios. I’m sorry to say tickets purchased using Avios, On Business points or our partners’ frequent flyer programme miles, kilometres or points do not earn Avios or Tier Points, so I am unable to credit your account.

I’m happy to say that I have transferred your membership to Silver and ordered you a new card, which you will receive in the next 28 days. Your new status will show on your account in the next 24-48 hours.

Until you receive your new card, you can order a digital copy of your membership card on ba.com or the BA mobile app. The digital card is just like a plastic card – it has your name, membership number and card year expiry date but there’s no need to carry it with you. It still allows you take advantage of your membership benefits while you’re at the airport.

Woah, someone requested missing mileage credit for my account for about a dozen flights. Enough flights so that I qualified for BA Silver status and earned 50,000+ Avios I didn’t deserve.

BA-Tier-Points

Apparently someone even tried to request missing mileage credit for the Alaska award flights I took which I booked using Avios.

The issue, of course, is that the eligible flights are ones I already credited to American AAdvantage, and while I’d love to “double dip” earning miles, I also know that’s not right, and for that matter could cause them to suspend my account.

What could the motive be?

This is bizarre:

  • What would someone’s motive be for requesting a status match for me, and for requesting additional miles? Are they trying to help me out (as they perceive it)? That seems a bit backwards, no?
  • If their intent was to spend the Avios and they had full access to my account, you’d think they would change the email address on file so that I wouldn’t be alerted every time such a request is made.
  • The strangest part is that missing mileage credit was requested partly for flights which I in no way shared publicly; in other words, it’s not just flights I reviewed or flights I posted Instagram pictures from, but a few others as well.

This leads me to two theories:

  • It sure seems like the goal might not be to hack my account so they can spend my miles, but rather that they’re trying to get me in trouble with the airline(s) by requesting duplicate mileage; in other words, if I’m credited all these miles and don’t say anything, the airline(s) could certainly go after me and take back the miles and suspend me from the program.
  • While I can’t say it with certainty, the fact that credit was requested even for flights I never wrote about suggests it’s someone with inside knowledge of my itineraries, perhaps even someone at an airline who would have access to my itineraries.

Bottom line

I find this kind of account hack to be super creepy. It’s one thing if someone changed the info on my account and tried to steal miles from me, which would at least have a straightforward motive. But the motive here isn’t as apparent. If they were trying to steal miles from me, presumably they’d change the info on the account so I didn’t receive notifications. And for that matter no miles have been redeemed.

Further, the inside knowledge of requesting miles for flights I never wrote about suggests this is someone who has access to all of my travels, perhaps someone at an airline (it could be any of a few airlines).

I’ll be reaching out to British Airways once this post publishes to see if they’ll investigate this with me. I figured it made sense to publish the blog post with all the background first, given that this is probably a bit too complex to handle through the traditional customer service email. It’s much easier to be able to link to this blog post and lay everything out.

Anyone have a theory as to what’s going on?

Comments

  1. Lucky,

    If it gets serious you should contact BA fraud department and see if they can track an ISP for the log ins. If they are not willing to cooperate an attorney to request it may be worthwhile. You have a valuable blog that has brand and recognition and if someone is using the BA website to attempt to disrupt your credibility that is not a good thing.

    Good luck with this, bro.

  2. I think that you’re getting A LOT media attention lately. While I wouldn’t suspect loyal readers, there are a lot of people who get REALLY jealous. And they might try to screw you over (and indeed get you into trouble). Or they try to first check if you notice. If you don’t notice anything strange, they might continue with their evil plan to spend your miles (let’s say short notice of 12h in advance & using false identity).
    I’ve seen a lot of bad reactions of people when the press writes about your blog. It’s actually really a shame.

    Are you actually using secure passwords and/or using a password manager? If no, you should. If yes, check that your password manager password isn’t compromised in any way (just to avoid other bad things).

  3. My theory is that there are some system settings that are causing to automatically get your flights credited to Avios and request credits. If it were a person – then you ought to have seen them using the miles from your account – nothing less. My Lifemiles was hacked and ask me how hard it was to get them to fix things and re-credit back the miles that hacker had used to book hotels… yeah… hotels using lifemiles!

    Given your description I think its the system and not a person… let’s see how this turns out.

  4. BA should be able to trace this if it really is an internal problem. Yikes. Weird malignant stalker types.

  5. Ben –

    I do believe it is someone inside the airlines and they are attempting to get you expelled from a specific airline program…or several. I wonder if airlines share a ‘blacklist’ of sorts of scammers?

    If you were falsely identified as an individual trying to defraud the airlines then several might terminate your participation in their frequent flyer programs.

    Hence, I suspect that may be the real intent of this person (perhaps more than one sharing information and working together.)

  6. Isn’t displaying your BA membership number a little foolish given the situation?

    I would certainly request a new number now given what has happened.

    Best of luck.

  7. Would love to hear more as you investigate with BA. This is certainly fascinating and I’m curious to see how they respond.

  8. As I was reading this it felt like a phishing scam trying to get you to click on a link to the. Enter your details. But then when you said about getting the miles credited it got weird.

    BA should be able to trace where the requests are coming from, hope you get to the bottom of it soon.

  9. Get BA to issue you a new account number and transfer the points in. Use a new password obviously. Also, make sure to change the password on any other accounts that used the same password.

  10. given your notability in the field, you should be rigorous about changing your passwords every 4-6 weeks at the very least. i think that’s the standard most IT departments have in larger corporations. we’ve all seen how irrational some of your detractors can be.

    there certainly were more than a few people who went ballistic when you criticized BA recently.

    (FWIW i flew club world LHR-JFK the other day and the service was phenomenal! such a warm and friendly crew. the seats, on the other hand…)

    hope this all works out!

  11. This might sound really basic– but are there other accounts someone may have hacked into that would give them your detailed itinerary info? Do you use TripIt? Even your e-mail account that would contain all your itineraries? I would definitely change all passwords immediately.

  12. Seems so odd if it’s for flights you actually took but didnt review my bet is something odd system wise, like auto filling missing claims if you credited to another program.

    Just seems too strange, as if someone was trying to be malicious, this would be an odd way to do it.

  13. If someone was able to hack your BA account, they likely were able to hack your email account. All your flights are likely sent to that single email address, which would allow a hacker to know all your flight plans.

  14. What strikes me is:
    1. This person would have to know all your flights or know someone who knew all your flights;
    2. This person would have to be good enough to figure out to access your account;
    3. This person would have to be relatively knowledgable about how miles work (probably not so hard to find in your group of friends)

    Have you ever used a public computer? Or borrowed someone else’s computer? Even a friend. Or have you befriended a lounge employee who looked up your flights?

    Definitely creepy…

  15. Ben, if you use an app such as TripIt, perhaps that is the account that has been compromised. That would explain how they would have info on all your flights as well as account numbers etc.

    Very easy to capture passwords when you are using public wifi as well.

  16. Does it seem like every flight that was an award flight or credited to other program has had a missing request made, or just some? It seems if it was system related it would at least be consistent.

  17. I would definitely contact BA to find where the person logged in…. I doubt it was a someone with malicious intent , especially since it practically benefited you. Maybe a BA agent entered your account details by accident when processing another claim ? Do tell us if you make any progress.

    Good luck!

  18. BA has a real problem with their system.
    My account was hacked, looks like from their side, as I didn’t get any emails of any transaction and from my account someone booked a hotel room for a week in Russia.
    I contacted them and they put my account on hold…

    Still waiting, it’s been a month and I still didn’t get my points back…

  19. That is fraud and will be dealt with severely by BA, I hope they work with you to sort it out Ben.

  20. I’m an expert at this stuff personally I think the following could have happen

    A. Your e-mail account was compromised
    B. An internal error at BA
    C. Somebody stole your information through public WiFi

    I recommend that you change your e-mail and BA account passwords and then see what happens

  21. hahahahahahaaahahaha

    You’d NEVER try something shady…..right?

    LOLOLOL

    I say we stand UNITED against this hack.

  22. Ben – have you thought about the hack being done from someone within AwardWallet? They have all your account information and passwords. Just a thought.

  23. For the past three years, I have been receiving credit for 3 or 4 nights stays at the Berlin Hyatt. It wasn’t me, and I have Hyatt Platinum status, but when I called Hyatt to ask about this, they seemed concerned, but never corrected it. No one has tried to use my number, but it is a bit weird.

  24. I’d suggest to reset your passwords to ALL miles accounts you have for all airlines/awardwallet (yes i realise this will take time) and take maximum use of the password policy in place (yes i realise this will take even longer) and then reset the password to the email account which those miles accounts are attached to, again taking account of their own password policy.

    It’s best to take a “scorched earth” policy and reset everything related just to be sure.

  25. I read your blog through your posts on FB. I’ve noticed the last week or so that each story I click for your site gets redirected to a virus or malware installer page. Norton stops it each time and quarantines it, then I’m able to re-click the link from FB and come directly to the site. I think the ad server service you’re using has some malicious content rotating through. Just fyi….

  26. Blame the Chinese – remember the cabin crew that got sent to the gulag for your flight review of an awful first class experience on China’s premier airline? Just sayin’ ;-D

  27. @Christian. It is probably you trying to deflect attention to pointing to Ford. You are a lame ahole. Probably homophobic as well. Now go away.

  28. Some men aren’t looking for anything logical, like money. They can’t be bought, bullied, reasoned, or negotiated with. Some men just want to watch the world burn.

  29. Any angry, ex-OMAAT staff out there? Just a thought I didn’t see so far. Beyond that I agree with email hacks or some service tracker (Tripit, Award Wallet, etc) hack.

  30. Honestly Ben, my money is with the airline employee trying to get you booted from the program. They can easily access all past flight info with a few simple key strokes, then deliberately requesting points for award tickets and tickets that you already earned another carrier’s miles is a sure fire way to get you kicked off. Keep us posted.

  31. Ben, Love you, Love the blog…
    That said, you have always been quite honest regarding your flight and lounge reviews. Could it be a BA super fan?
    revenge is a dish best served cold…
    keep up the good work!
    RR

  32. Really strange, it sounds like an inside job to me. How else would they get your flight info for flights you don’t even blog/tweet/ig about.

  33. @Ron Seeber: Your situation is easier to explain plausibly. There is a regular annual guest to Berlin who has a frequent customer profile on the local hotel system. When creating that profile, the front desk agent mistyped the guest’s HGP number and yours was entered in error.
    It is not a traceable problem until the guest takes the initiative to find out why points weren’t credited…and even then it may stop at HGP Customer Service and never get traced back to the hotel. Although that being said, I thought the HGP number appeared on the hotel receipt (so maybe the guest is dyslexic and didn’t realize that number or two had been switched or mistyped). Or else they are disorganized or they don’t care. By the way, do you work at ILR/CU?

  34. Suspicious but not overtly malicious, so one possibility is BA has simply confused you with with another Executive Club member. Earlier this year, I received repeated emails from Hyatt welcoming me to the Andaz 5th Ave for my honeymoon, only I had no stays at that Andaz and no honeymoon trip either. I contacted Hyatt and they apologized for their mistake.

  35. Could definitely be BA confusion. My wife was recently credited for several flights of someone else who had the same first and last name. Earned Bronze status in the process.

  36. In case you weren’t aware, at many firms (not airlines specifically), many employees have access to the username and password databases. This means that someone at American could hypothetically have your American password, and could attempt to use that password on Delta’s site. To truly secure all of your online accounts, you need a DISTINCT password for each domain.

  37. This reeks of internal foulplay. The fact that you are receiving tier points and mileage for award flights implies that it isn’t just some random person off the street who’s doing this.

  38. I have spent years working on things like this and even testifying as an expert witness in computer networking cases. If someone brought these facts to me, the first thing that I would say is that it is internal to BA, not someone else hacking your account. I would suspect either a BA employee with strange motives or a system problem at BA (more probably the latter). Nothing else makes a lot of sense. Besides, if someone did want to get at you and was able to hack your accounts, this is a rather obtuse way of approaching the issue. It just doesn’t fit a hacker.

  39. You find it easier to write a blog, post it publicly then link to it when you contact customer services than simply detail the issues when you contact customer services?

    Oh please!

  40. To have all these informations, the person must also have access to your email account. If you use GMail, you can check via their security page where you have (or had) open sessions in recent times.

    If you use mileage websites (awardwallet.com for instance), maybe they have an automated service to claim mileage and have a bug?

  41. Lucky, IT’S NOT your BA account was hacked! IT’S YOUR EMAIL ACCOUNTS HAVE BEEN HACKED.

    Whoever hacked your email account didn’t touch anything in your email account but was able to see all your itinerary. Your BA account password maybe the same as your email account. After he logged in your BA account, he started to claim missing Avios.

    If you use gmail, go to account center, check recent log in. Turn on 2-step verification.

    Also keep in mind, the hacker also can see the post……

  42. You just fed a troll big time and inspired copycats. This information should have been kept private for your security.

  43. Another thing to consider and to be careful of is public wifi, especially in foreign countries. They can be far from secure and people with malicious intentions can have a field day. Consider using a VPN to be more secure, especially with all the travelling you do.

  44. I think it’s likely that the hacker also hacked into your (or Ford’s) email account(s), thus the knowledge about flights you took in private. That possibility is more likely than an airline insider accessing your confidential records on a company-owned computer system.

    I would consider changing ALL of your passwords on ALL of your accounts (email, reward program, instant message, iMessage (or the Android equivalent)).

  45. As others have noted, your use of public wifi (gogo, free lounge wifi, airplane wifi, hotel wifi) etc are all very easy vectors to sniff your network traffic and steal your login credentials. When you consider some of the locales you travel to/through (UAE, HKG, etc.) are tightly surveilled by their own governments, it would be extremely wise to invest in a VPN service (or two, as a backup) to keep your network activities and information secure.

    Second – Although BA/AA/etc will probably have logs of all IP addresses that have logged into your account, I assume that may be a fruitless effort considering your “normal” usage is probably from anywhere on the globe anyways.

    Going forward, get a password manager (lastpass, etc) to handle all of your private information. Cycle your passwords and let the password manager handle it. Update your security questions. Set your VPN client to automatically log in when on wifi. That should help quite a bit.

  46. “Once is chance. Twice is coincidence. Three times is enemy action.” Looks like you have a really bizarre enemy. The more public you become, the larger your subset of potential enemies; ergo, the larger the subset of weird potential enemies. Or perhaps your enemy is just crazy like a fox, given that the tactic (short-term “help” that results in long-term harm) is plausibly deniable. Your enemy may be counting on BA’s first question being “cui bono.”

  47. I think your email account has been hacked. You should use several email-accounts for several purposes – for example: One to communicate with the public (this account is the most viewable, so it is at high risk), one for airline related stuff, one for hotels and so on.

    You should use a password-manager, read the corresponding part of this article: http://www.bento.de/gadgets/tipps-fuer-mehr-privatsphaere-im-internet-von-edward-snowden-118889/#refsponi (German)

    If you are still using Apple computers this might be interesting to you, even if i think that this is not how you got into trouble: http://www.golem.de/news/matthew-garrett-apple-rechner-eignen-sich-nicht-fuer-vertrauliche-arbeiten-1601-118332.html (German)

    Good luck!

  48. Hum, I’d think it was someone who works for one of the airlines -on one of the flights- that you wrote a not so good review about and has access to your BA account, in other words someone who works for BA.

    I’d push them all the way to find out who did it. That is not funny!

  49. Wow, lots of conspiracy people here. What’ll probably happen is BA will rectify the mistake and apologise. Then Ben will make another post bashing BA for not giving any miles (which he’ll of course say he didn’t want) or he’ll have a go at BA for not making a public apology for what is quite simply a tiny mistake that a blogger has gone over the top for

  50. I wonder if there is an un-authenticated web page where you can make these requests and the other person is miss-typing their number? Back in the day Northwest didn’t make you sign in to request missing millage, just enter your worldperks number and ticket number into a webform.

  51. Hackers aren’t this sophisticated. Nor do I think they’d go though all this trouble just to play games with you.

    Simplest explanation is always the best: BA’s site is just buggy.

  52. @James

    “Nice, make a blog post first so the BA people have to read this. Way to get some extra views”

    Consider that account support staff aren’t available at all hours and that Ben often writes posts in the air where it’s not necessarily feasible to engage in an exchange with a party on the ground. Seems like this sort of reaction is why this hack seems creepy instead of glitchy.

  53. My guess is it is absolutely an airline employee, or someone in your inner circle, who is trying to get you in trouble. Maybe an FA you pissed off that got in trouble because of something you published sometime. You’re already banned from UA, and this person is trying to seek vengeance. Obviously let the airlines know your account is compromised.

  54. FRAUD possibility:

    I asked to add my wife’s middle name to her BAEC account.

    They said I had to be a nominee.

    She added me as a nominee and used password.

    When I called, they had me verify the 3rd,5th,7th letter of the password.

    Did that mean that the rep could see the whole password or just the selected letters? This is a password I use for a lot of things?

    Did you use a nominee for any account with your password?

Leave a Reply

Your email address will not be published. Required fields are marked *