I had a tweet on Friday from a HFP reader who suddenly found himself locked out of his British Airways Executive Club account. The call centre were not willing to enlighten him further.
Over the weekend, more details have trickled out.
This email from British Airways was posted by a user at Flyertalk:
British Airways has become aware of some unauthorised activity in relation to your Executive Club account.
This appears to have been the result of a third party using information obtained elsewhere on the internet, via an automated process, to try to gain access to your Executive Club account.
We understand this was login information relating to a different online service which you may have also used to access your Executive Club account.
We would like to reassure you that, although it does appear that the login attempt was successful, at this stage we are not aware of any access to any subsequent information pages within your account, including your flight history or payment card details.
We have now locked down your online account to protect it from further access. As part of the lock-down process we have also changed your password and you will need to reset it before you are able to use your account.
If you use the same login details for your Executive Club account as you do for your online accounts with any other organisations, we would also recommend that you change the passwords for these accounts, as well as exercising vigilance regarding any unusual or suspicious use of your personal data.
For a short period of time, as a precaution, we have also suspended the use of Avios on your account. We will let you know when this suspension period is over.
In the meantime, however, if you wish to spend your Avios please contact us via your local Executive Club service centre. We will be able to reactivate your account by asking you some additional security questions.
We are sorry for the concern and inconvenience this matter may have caused you and would like to reassure you that we are taking this incident seriously.
British Airways Executive Club team
It is not clear what the ‘online service’ is that he is meant to have used which has led to his account being compromised. It seems that it is NOT AwardWallet which would be the obvious suspect because it is the biggest of the online account management apps. None of the four people on Flyertalk who received this email report having shared their details with ANY third party apps.
It seems that fraudulent use of accounts is linked to both hotel bookings with Avios and flights. Russia appears to be a common thread among the flight routes and hotel guest names. This sort of behaviour is hugely risky of course since it relies on the account holder not noticing that his account balance has dropped. (This is why it would be stupid to hack AwardWallet, since you would be alerted as soon as your balance moved!)
One Flyertalk poster even found that the name on his BA account had been changed – heaven knows how that was done.
The moral of this story is to keep an eye on your balances – ironically, this may involve giving your details to a service like AwardWallet – and treat account security in the same way you would treat bank account security (which, in some ways, it is).