British Airways Responds To My Account Hack

For the better part of a year, there has been some weird activity on my British Airways Executive Club account. This all started last March, when British Airways seemed to have some big data breaches, which caused thousands of accounts to be locked.

But it started getting weird for my account in August, when I received a rejection email for a status match request, as well as a rejection for missing mileage credit. The only problem was that I hadn’t requested the status match, or the missing mileage credit. I assumed it was some one-off glitch, so didn’t put much more thought into it.

BA-Credit-Request

It got even stranger a couple of weeks back, when someone was once again requesting missing mileage credit for my account, for flights I had credited to other airlines. What makes this truly bizarre is that many of these are flights I had never written about, so even if it was a malicious reader, I’m not sure how they would have known which flights to request credit for.

Executive-Club

I’ve gone ahead and followed up with British Airways to try and get to the bottom of this, and received the following response, which I figured I’d share:

Thank you for contacting us about the anomalies linked to your British Airways Executive Club account. I have taken a look at your account and would like to take this opportunity to  address some of your concerns.

In March 2015, we requested that you updated your password, to ensure that your account was secure. Our records show your password was updated on 27 March.

British Airways monitors Executive Club account activity on a regular basis and in August 2015, you were sent another email to advise you again to update your password, as some of your personal data was available online. I have checked this again today and notice that your current email address has been posted on a number publicly facing websites designed to share content.  This could be an indicator of a data breach. These were posted between August 2014 and January 2016, so I would suggest that if you’ve not already done so, that you check this.

This same period coincided with a request into the Service Centre on 15 August for a number flights to be tracked to your account, plus a query regarding your tier status. Some of those flights were tracked but some were rejected. When a flight claim is rejected, an automated email is sent to the account holder, and your Third Party Nominee was in contact on 21 August, to advise that you’d received several of these. You also contacted us on 16 December reiterating that you had never made the requests.

We received further requests for additional flights to be tracked to your account at the end of December, which as you’ve mentioned in your article dated 04 January 2016, provided sufficient tier points to achieve Silver status.

I am still looking into how the original requests were received for both the latest tracking and those from August 2015. One option would be to open a new Executive  Club account, with a unique email address and login details. I will then transfer your Avios and Tier Points balance to the new account.

I would like to apologise for any inconvenience that may have been caused over the past months and reassure you that I will resolve this matter for you.

While this doesn’t answer the question of who has been hacking my account, it’s clear that something is going on, and it seems like the best option is to have them create a new Executive Club account for me, and change the email on file in the process. I wasn’t aware that was an option, so that’s good news.

I’d still be very curious as to who has been hacking my account, but something tells me British Airways won’t be sharing the IP addresses, etc., from which the requests were made.

British-Airways-Lounge-London - 41

Bottom line

We hear all the time about account breaches, and it’s quite easy to assume it only impacts other accounts. I’m still not sure whether to assume this was part of some wide-scale breach, or was specific to me. I’m leaning towards the latter (and shared theories as to the motives in the previous post), since this seems like a very unconventional “hack.” It’s not like they’ve tried to redeem my Avios, or anything, but rather this just seems more malicious and creepy in a targeted way. I still have no clue as to how they figured out some of the flights I took based on the requests for missing mileage credit.

I should probably finish by clarifying that I do use a password management tool, so my passwords are “secure,” and different for all my accounts, and changed frequently.

Take this as a reminder to protect your loyalty program accounts — these account hacks can happen to anyone!

Comments

  1. You should do a Google search for the email address and password that you use with BA.com, and see if anything turns up.

  2. My account was hacked and almost 90K avios was used to book a hotel in Russia.
    I still didn’t get any feedback from BA after they said that it’s being investigated…
    I will call in next week to check

  3. Crazy. Perhaps BA should disable email logins like UA. I thought it was stupid at the time but I’ve memorized my MP number and it’s just as fast. Of course, they still use 4 digit PINs bc UA.

  4. Actually if you followed news in China recent days you won’t be surprised… Some big OTA names like Ctrip and Qunar are known to hack others’ account, use their mileage for award tickets/hotels, and sell them out for profit…

  5. Seems like this still has to be someone that would be able to search BA, AA and Oneworld systems to figure out what flights you were on. A hacker would not be able to see this information by just logging into your account. You should go back and look at your posts for the weeks leading up to August 21st to see if you could have pissed off any Oneworld employees, perhaps by calling out a FA or other customer service person by name or even just writing something negative about a OW airline.

    I’m crossing my fingers that you badmouthed Akbar Al Baker and he is personally behind this 😉

  6. I know this is an old post but it needs some response to some silly ideas.

    Firstly do NOT Google search your email address and password (Eric)! If you want to know if your email/password (or other details) have been exposed, try the haveibeenpwned site.

    Tom, there are thousands of Travel Agents around the world who have access to passenger/flight details through various Ticketing Agencies – e.g. Amadeus. Why would a hacker try and compromise organisations such as Amadeus, Sabre, BA, AA, Virgin, Qatar, etc, etc when they only need to compromise the few PC’s in their local T.A.?

Leave a Reply

Your email address will not be published. Required fields are marked *