Maximise your Avios, air miles and hotel points

BA suspending BAEC accounts after suspected hacking attack

Links on Head for Points may pay us an affiliate commission. A list of partners is here.

I had a tweet on Friday from a HFP reader who suddenly found himself locked out of his British Airways Executive Club account.  The call centre were not willing to enlighten him further.

Over the weekend, more details have trickled out.

This email from British Airways was posted by a user at Flyertalk:

Dear Customer

British Airways has become aware of some unauthorised activity in relation to your Executive Club account.

This appears to have been the result of a third party using information obtained elsewhere on the internet, via an automated process, to try to gain access to your Executive Club account.

We understand this was login information relating to a different online service which you may have also used to access your Executive Club account.

We would like to reassure you that, although it does appear that the login attempt was successful, at this stage we are not aware of any access to any subsequent information pages within your account, including your flight history or payment card details.

We have now locked down your online account to protect it from further access. As part of the lock-down process we have also changed your password and you will need to reset it before you are able to use your account.

If you use the same login details for your Executive Club account as you do for your online accounts with any other organisations, we would also recommend that you change the passwords for these accounts, as well as exercising vigilance regarding any unusual or suspicious use of your personal data.

For a short period of time, as a precaution, we have also suspended the use of Avios on your account. We will let you know when this suspension period is over.

In the meantime, however, if you wish to spend your Avios please contact us via your local Executive Club service centre. We will be able to reactivate your account by asking you some additional security questions.

We are sorry for the concern and inconvenience this matter may have caused you and would like to reassure you that we are taking this incident seriously.

British Airways Executive Club team

It is not clear what the ‘online service’ is that he is meant to have used which has led to his account being compromised.  It seems that it is NOT AwardWallet which would be the obvious suspect because it is the biggest of the online account management apps.  None of the four people on Flyertalk who received this email report having shared their details with ANY third party apps.

It seems that fraudulent use of accounts is linked to both hotel bookings with Avios and flights.  Russia appears to be a common thread among the flight routes and hotel guest names.  This sort of behaviour is hugely risky of course since it relies on the account holder not noticing that his account balance has dropped.  (This is why it would be stupid to hack AwardWallet, since you would be alerted as soon as your balance moved!)

One Flyertalk poster even found that the name on his BA account had been changed – heaven knows how that was done.

The moral of this story is to keep an eye on your balances – ironically, this may involve giving your details to a service like AwardWallet – and treat account security in the same way you would treat bank account security (which, in some ways, it is).

(Want to earn more Avios?  Click here to see our latest articles on earning and spending your points and click here to see our list of current Avios promotions.)

Comments (69)

  • Liz says:

    Fortunately all my points are still in tack but 40% of my profile is missing – including all the advance passenger information ie passport information is all deleted.

  • Owen says:

    I was notified by BA as well. This happened at the same time that my Spotify account was hacked. It can’t be a coincidence, right? Anyone else find other accounts affected at the same time?

  • Georgie says:

    Very poor communication by BA. The least they could do is put up a notice on the Executive Club site, apologising for the inconvenience whilst they look into this.

    The email that has been sent out in an inconsistent manner to those whose accounts have been compromised looks like a classic phishing email, oh the irony.

  • TheFamousJames says:

    Same thing here – got the email from BA, account locked, password needed to be changed and then the ex gratia points adjustment. Fortunately, just made a large redemption so not many points “missing.” Though that’s not the point of course!

    Out of interest, is anyone using TripIt Pro to monitor their points? Not suggesting there’s a connection, just aware that the feature exists and uses stored credentials…

  • nerd. says:

    Just got this today too. Reset link not working at present- I assume my emails are at the back of a long queue.