What happened with the British Airways and SITA data breach?
Links on Head for Points may support the site by paying a commission. See here for all partner links.
Many HfP readers will have received an email from British Airways on Friday night concerning a data breach at SITA, an IT provider to the airline industry.
If you didn’t get it, it said:
“Dear Customer,
We take the protection of your data very seriously.
We have been notified of a data breach at global technology company SITA, an IT services provider to many airlines around the world. SITA is not British Airways’ booking and reservations system provider and SITA’s breach does not involve our customers’ financial information or password as SITA does not have access to this data. Please be reassured that this incident was not a breach of British Airways’ systems.
Along with many other airlines, we do share limited information with partner airlines in order to enhance your experience when flying with them. We have been notified by SITA that some British Airways Executive Club Members’ names, membership numbers and some of their preferences, such as seating, has been impacted.
The password you use for your account is not held by SITA and has not been put at risk by this breach.
As a precaution, given the potential that customers have re-used passwords used for other websites, we are taking the following action to protect you:
* Please log into your account and reset your password
* Please create a new password that you have not used elsewhere
* Once your password has been reset and you have completed a verification step, you will be able to regain full access to your account
We know fraudsters try to use situations like this to their advantage. We will not contact you by phone and ask for your password – please do not reveal your password to anyone claiming to be from British Airways. If you need to contact us, you can do so via our contact centres.
We are sorry for the inconvenience caused and thank you for your continued support and cooperation in helping us to keep your information safe and secure.
British Airways”
How did the breach happen?
The majority of legacy airlines, including all Star Alliance ones, were impacted by this breach.
It was caused by a breach of SITA’s ‘Passenger Service System’, a service that handles transactions from ticket reservations to boarding.
Here is SITA’s statement:
“SITA confirms that it was the victim of a cyber-attack, leading to a data security incident involving certain passenger data that was stored on SITA Passenger Service System (US) Inc. servers. Passenger Service System (US) Inc. (“SITA PSS”) operates passenger processing systems for airlines.
After confirmation of the seriousness of the data security incident on February 24, 2021, SITA took immediate action to contact affected SITA PSS customers and all related organizations.
We recognize that the COVID-19 pandemic has raised concerns about security threats, and, at the same time, cyber-criminals have become more sophisticated and active. This was a highly sophisticated attack.
SITA acted swiftly and initiated targeted containment measures. The matter remains under continued investigation by SITA’s Security Incident Response Team with the support of leading external experts in cyber-security.
If you are the customer of an airline and have a Data Subject Access Request in relation to the handling of your personal data, this request must be made directly to that airline in accordance with GDPR and data protection legislation. SITA is unable to respond directly to any such request.”
Multiple airlines were impacted
According to Lufthansa, it appears that intruders entered the reservation system of an Asian airline that is a Star Alliance member between 21st January and 11th February.
All Star Alliance airlines share details of all of their elite members with each other, to allow status members to be identified.
What is odd is why other non-Star Alliance airlines are contacting members. It doesn’t explain why BA believes that Executive Club passenger data was being kept by this Asian airline.
Airlines reported to have emailed passengers about the breach include Lufthansa (reportedly the largest data set), Air New Zealand, Singapore Airlines, SAS, Cathay Pacific, Jeju Air, Malaysia Airlines and Finnair.
Most of the airline emails I saw were pretty sanguine. They said, in effect, “Yes, someone has got your frequent flyer account number, but you shouldn’t worry about it because they don’t have your password.“
This is correct. Some, but by no means all, stolen data sets reportedly had a name attached to the frequent flyer number. The only way your account could be hacked is if your name – a name presumably shared by many people – appears on another hacked ID list from a different company, and the password leaked in that breach was the same as your BA password. Unlikely? Yes, but clearly not impossible.
What did British Airways do?
For once, British Airways took an IT breach far more seriously than anyone else. Perhaps too seriously.
On Friday night, it locked people out of their BA accounts. Unfortunately, ba.com has a very complex and buggy system for resetting passwords, which doesn’t work properly if you are logged in. It also requires 2FA. Weirdly, once you had reset your password, many people were asked to change it again and could only regain access after the 2nd change.
Many people were blocked from logging in via their membership number, and only email addresses were being accepted. Some couldn’t use their email address either but found that their user name, which BA tried to phase out years ago, worked. People appeared to have specific difficulties resetting passwords using Chrome, whilst Firefox worked fine.
And then …. it went away
Overnight from Friday to Saturday, BA appears to have removed all blocks. If you spent time resetting your password on Friday, you had wasted your time. If you’d left your account alone it would have been functioning fine yesterday.
For some reason BA seems to have decided that it had overreacted. This is possibly due to a call centre meltdown from people who were trying to reset their passwords but couldn’t. BA may have decided that it couldn’t afford to have its telephone lines blocked out with password queries for the next few days.
All very odd. However, as they say, ‘there’s nothing to see here’.
How to earn Avios from UK credit cards (October 2024)
As a reminder, there are various ways of earning Avios points from UK credit cards. Many cards also have generous sign-up bonuses!
In February 2022, Barclaycard launched two exciting new Barclaycard Avios Mastercard cards with a bonus of up to 25,000 Avios. You can apply here.
You qualify for the bonus on these cards even if you have a British Airways American Express card:
Barclaycard Avios Plus Mastercard
Get 25,000 Avios for signing up and an upgrade voucher at £10,000 Read our full review
Barclaycard Avios Mastercard
Get 5,000 Avios for signing up and an upgrade voucher at £20,000 Read our full review
There are two official British Airways American Express cards with attractive sign-up bonuses:
British Airways American Express Premium Plus
30,000 Avios and the famous annual 2-4-1 voucher Read our full review
British Airways American Express
5,000 Avios for signing up and an Economy 2-4-1 voucher for spending £15,000 Read our full review
You can also get generous sign-up bonuses by applying for American Express cards which earn Membership Rewards points. These points convert at 1:1 into Avios.
American Express Preferred Rewards Gold
Your best beginner’s card – 20,000 points, FREE for a year & four airport lounge passes Read our full review
The Platinum Card from American Express
50,000 bonus points and great travel benefits – for a large fee Read our full review
Run your own business?
We recommend Capital on Tap for limited companies. You earn 1 Avios per £1 which is impressive for a Visa card, along with a sign-up bonus worth 10,500 Avios.
Capital on Tap Business Rewards Visa
10,000 points bonus – plus an extra 500 points for our readers Read our full review
There is also a British Airways American Express card for small businesses:
British Airways American Express Accelerating Business
30,000 Avios sign-up bonus – plus annual bonuses of up to 30,000 Avios Read our full review
There are also generous bonuses on the two American Express Business cards, with the points converting at 1:1 into Avios. These cards are open to sole traders as well as limited companies.
SPECIAL OFFER: Until 22nd October 2024, the bonus on American Express Business Platinum is increased to up to 80,000 Membership Rewards points, worth 80,000 Avios. You will receive 8 points per £1 spent for the first three months, on up to £10,000 of spending. Click here to read our full card review. Click here to apply.
SPECIAL OFFER: Until 22nd October 2024, the bonus on American Express Business Gold is increased to up to 40,000 Membership Rewards points, worth 40,000 Avios. You will receive 4 points per £1 spent for the first three months, on up to £10,000 of spending. The card is FREE for your first year. Click here to read our full card review. Click here to apply.
American Express Business Platinum
Up to 80,000 points when you sign-up and an annual £200 Amex Travel credit Read our full review
American Express Business Gold
Get up to 40,000 points as a sign-up offer and FREE for a year Read our full review
Click here to read our detailed summary of all UK credit cards which earn Avios. This includes both personal and small business cards.
Comments (43)