BA suspending BAEC accounts after suspected hacking attack

I had a tweet on Friday from a HFP reader who suddenly found himself locked out of his British Airways Executive Club account.  The call centre were not willing to enlighten him further.

Over the weekend, more details have trickled out.

This email from British Airways was posted by a user at Flyertalk:

Dear Customer

British Airways has become aware of some unauthorised activity in relation to your Executive Club account.

This appears to have been the result of a third party using information obtained elsewhere on the internet, via an automated process, to try to gain access to your Executive Club account.

We understand this was login information relating to a different online service which you may have also used to access your Executive Club account.

We would like to reassure you that, although it does appear that the login attempt was successful, at this stage we are not aware of any access to any subsequent information pages within your account, including your flight history or payment card details.

We have now locked down your online account to protect it from further access. As part of the lock-down process we have also changed your password and you will need to reset it before you are able to use your account.

If you use the same login details for your Executive Club account as you do for your online accounts with any other organisations, we would also recommend that you change the passwords for these accounts, as well as exercising vigilance regarding any unusual or suspicious use of your personal data.

For a short period of time, as a precaution, we have also suspended the use of Avios on your account. We will let you know when this suspension period is over.

In the meantime, however, if you wish to spend your Avios please contact us via your local Executive Club service centre. We will be able to reactivate your account by asking you some additional security questions.

We are sorry for the concern and inconvenience this matter may have caused you and would like to reassure you that we are taking this incident seriously.

British Airways Executive Club team

It is not clear what the ‘online service’ is that he is meant to have used which has led to his account being compromised.  It seems that it is NOT AwardWallet which would be the obvious suspect because it is the biggest of the online account management apps.  None of the four people on Flyertalk who received this email report having shared their details with ANY third party apps.

It seems that fraudulent use of accounts is linked to both hotel bookings with Avios and flights.  Russia appears to be a common thread among the flight routes and hotel guest names.  This sort of behaviour is hugely risky of course since it relies on the account holder not noticing that his account balance has dropped.  (This is why it would be stupid to hack AwardWallet, since you would be alerted as soon as your balance moved!)

One Flyertalk poster even found that the name on his BA account had been changed – heaven knows how that was done.

The moral of this story is to keep an eye on your balances – ironically, this may involve giving your details to a service like AwardWallet – and treat account security in the same way you would treat bank account security (which, in some ways, it is).

(Want to earn more Avios?  Click here to see our latest articles on earning and spending your points and click here to see our list of current Avios promotions.)

How to earn Avios via Clubcard when filling up at Esso
Responses to the Avios devaluation: Virgin increases cabin bonus, Qatar cuts BA earning
About Head for Points

We help business and leisure travellers maximise their Avios, frequent flyer miles and hotel loyalty points. Visit every day for three new articles or sign up for our FREE emails via this page or the box to your right.

Comments

  1. Received the same mail today and logged-on to my account – Avios balance zero -450k manually adjusted. Will have to wait until tomorrow to call them… The only system linked is Award Wallet – surely that must be the easiest way-in? Either that or an inside job…

  2. Silverpawn says:

    This is a strange incident it appears my account was hacked as well, although my wife’s wasn’t. It couldn’t be a stolen password from a different site as all the passwords we use are unique and complex. It can only have come from BA having their passwords hacked or a related loyalty system that has a backdoor to avios. This will take some explaining. It isn’t Russian travel as I’ve not been there.

  3. Charlie says:

    I also got locked out of my BAEC account today but did not receive any email, I used the reset password procedure to regain access, and can see my balance has been transferred out using an ex-gratis transaction. I think the decision by BA to take this action on my account is down to some flawed analysis or botched IT maintenance!

  4. Email received, account balance: 0 ex gratia manual adjustment. I’m sure no one could have hacked my account since my username is specific to the BA website. I use award wallet and have made several booking in the past month though… To make the most of my Avios before the devaluation starting at the end of April…

  5. Like many others, cant login to my account, have tried password reset, but nothing back so far, guessing if/when I get in, it will be a zero balance, no email or any communication from BA, so guess I will join the back of the phone queue tomorrow to try and understand what they are doing. Big lump of AVIOS at risk and 2-4-1 vouchers as well…. Timing just as we get up to April a co-incidence? Hmmmm…….

    Will update if/when I can get back into account – was ok yesterday….

    • Tried to reset last night, but reset link was not working. Got the reset emails through around 0500 this morning, they had of course timed out. Could reset now, and like everyone else reporting, I have Tier points but 0 AVIOS, all removed by ex-gratia yesterday.

      VERY long thread at Flyertalk on this with LOADS of people affected;
      http://www.flyertalk.com/forum/british-airways-executive-club/1666639-27-mar-large-numbers-baec-accounts-being-locked-zeroed-out-audit-ex-gratia.html

      Like what is reported here, very little information about why etc. – blanket change by BA for some reason, probably to “protect” peoples balances for some reason – I checked my balance yesterday as about to do redemption, and it was fine, and the ex-gratia equals my full balance, so from a “positive”, it does look like its BA that have removed rather than someone hacking etc.

      Will be interesting to see if BA communicates anything about this, either publically or to the BAEC members.

  6. Mine too – could not log in. Reset password to find over a 100’000 gone……

  7. +1 I have also joined the club!! I did not receive any communication from BA so far!!
    It looked like they have frozen(Ex Gracia) my points after I checked my account by Award Wallet Friday morning.
    I have not made any redemption recently, I am waiting to do it in the next couple of weeks..
    What a timing…..
    I bet the phone line will be very busy tomorrow!

  8. RIccati says:

    +1. All household member accounts are frozen. Possible to re-set password. Avios removed with “Ex-Gratia – Manual Avios Adjustment” line on the statement. Even the minor amounts like 750 Avios were removed.

    Given the coming devaluation, timing could NOT be worse. Now I have to call them from Japan asking to contact the mysterious back office?

    • RIccati says:

      P.S. Also one of a sudden, the account became “ineligible to Combine my Avios” — how would I transfer points from the Diamond Club that come from the BMI credit card?

      Combined with devaluation and timing, is BA set on seriously upsetting the customers?

  9. I’ve been in touch with Award Wallet, and they’ve referred me to this link…

    https://awardwallet.com/forum/viewtopic.php?f=16&t=6616&p=10711#p10711

    • RIccati says:

      I have one account that is part of Household but NOT on Awardwallet check. That account was left untouched and no Avios were removed from it (others were locked, Avios removed by Ex-Gratia line).

      It might has to do with a frequency of logins rather than Awardwallet per se but all the same.

  10. My AA accounts are downed too!

  11. Fortunately all my points are still in tack but 40% of my profile is missing – including all the advance passenger information ie passport information is all deleted.

  12. I was notified by BA as well. This happened at the same time that my Spotify account was hacked. It can’t be a coincidence, right? Anyone else find other accounts affected at the same time?

  13. Georgie says:

    Very poor communication by BA. The least they could do is put up a notice on the Executive Club site, apologising for the inconvenience whilst they look into this.

    The email that has been sent out in an inconsistent manner to those whose accounts have been compromised looks like a classic phishing email, oh the irony.

  14. TheFamousJames says:

    Same thing here – got the email from BA, account locked, password needed to be changed and then the ex gratia points adjustment. Fortunately, just made a large redemption so not many points “missing.” Though that’s not the point of course!

    Out of interest, is anyone using TripIt Pro to monitor their points? Not suggesting there’s a connection, just aware that the feature exists and uses stored credentials…

  15. Just got this today too. Reset link not working at present- I assume my emails are at the back of a long queue.