For the better part of a year, there has been some weird activity on my British Airways Executive Club account. This all started last March, when British Airways seemed to have some big data breaches, which caused thousands of accounts to be locked.
But it started getting weird for my account in August, when I received a rejection email for a status match request, as well as a rejection for missing mileage credit. The only problem was that I hadn’t requested the status match, or the missing mileage credit. I assumed it was some one-off glitch, so didn’t put much more thought into it.
It got even stranger a couple of weeks back, when someone was once again requesting missing mileage credit for my account, for flights I had credited to other airlines. What makes this truly bizarre is that many of these are flights I had never written about, so even if it was a malicious reader, I’m not sure how they would have known which flights to request credit for.
I’ve gone ahead and followed up with British Airways to try and get to the bottom of this, and received the following response, which I figured I’d share:
Thank you for contacting us about the anomalies linked to your British Airways Executive Club account. I have taken a look at your account and would like to take this opportunity to address some of your concerns.
In March 2015, we requested that you updated your password, to ensure that your account was secure. Our records show your password was updated on 27 March.
British Airways monitors Executive Club account activity on a regular basis and in August 2015, you were sent another email to advise you again to update your password, as some of your personal data was available online. I have checked this again today and notice that your current email address has been posted on a number publicly facing websites designed to share content. This could be an indicator of a data breach. These were posted between August 2014 and January 2016, so I would suggest that if you’ve not already done so, that you check this.
This same period coincided with a request into the Service Centre on 15 August for a number flights to be tracked to your account, plus a query regarding your tier status. Some of those flights were tracked but some were rejected. When a flight claim is rejected, an automated email is sent to the account holder, and your Third Party Nominee was in contact on 21 August, to advise that you’d received several of these. You also contacted us on 16 December reiterating that you had never made the requests.
We received further requests for additional flights to be tracked to your account at the end of December, which as you’ve mentioned in your article dated 04 January 2016, provided sufficient tier points to achieve Silver status.
I am still looking into how the original requests were received for both the latest tracking and those from August 2015. One option would be to open a new Executive Club account, with a unique email address and login details. I will then transfer your Avios and Tier Points balance to the new account.
I would like to apologise for any inconvenience that may have been caused over the past months and reassure you that I will resolve this matter for you.
While this doesn’t answer the question of who has been hacking my account, it’s clear that something is going on, and it seems like the best option is to have them create a new Executive Club account for me, and change the email on file in the process. I wasn’t aware that was an option, so that’s good news.
I’d still be very curious as to who has been hacking my account, but something tells me British Airways won’t be sharing the IP addresses, etc., from which the requests were made.
We hear all the time about account breaches, and it’s quite easy to assume it only impacts other accounts. I’m still not sure whether to assume this was part of some wide-scale breach, or was specific to me. I’m leaning towards the latter (and shared theories as to the motives in the previous post), since this seems like a very unconventional “hack.” It’s not like they’ve tried to redeem my Avios, or anything, but rather this just seems more malicious and creepy in a targeted way. I still have no clue as to how they figured out some of the flights I took based on the requests for missing mileage credit.
I should probably finish by clarifying that I do use a password management tool, so my passwords are “secure,” and different for all my accounts, and changed frequently.
Take this as a reminder to protect your loyalty program accounts — these account hacks can happen to anyone!