What happened with the British Airways and SITA data breach?

Many HfP readers will have received an email from British Airways on Friday night concerning a data breach at SITA, an IT provider to the airline industry.

If you didn’t get it, it said:

“Dear Customer,

We take the protection of your data very seriously.

We have been notified of a data breach at global technology company SITA, an IT services provider to many airlines around the world. SITA is not British Airways’ booking and reservations system provider and SITA’s breach does not involve our customers’ financial information or password as SITA does not have access to this data. Please be reassured that this incident was not a breach of British Airways’ systems.

Along with many other airlines, we do share limited information with partner airlines in order to enhance your experience when flying with them. We have been notified by SITA that some British Airways Executive Club Members’ names, membership numbers and some of their preferences, such as seating, has been impacted.

The password you use for your account is not held by SITA and has not been put at risk by this breach.

As a precaution, given the potential that customers have re-used passwords used for other websites, we are taking the following action to protect you:

* Please log into your account and reset your password
* Please create a new password that you have not used elsewhere
* Once your password has been reset and you have completed a verification step, you will be able to regain full access to your account

We know fraudsters try to use situations like this to their advantage. We will not contact you by phone and ask for your password – please do not reveal your password to anyone claiming to be from British Airways. If you need to contact us, you can do so via our contact centres.

We are sorry for the inconvenience caused and thank you for your continued support and cooperation in helping us to keep your information safe and secure.

British Airways”

How did the breach happen?

The majority of legacy airlines, including all Star Alliance ones, were impacted by this breach.

It was caused by a breach of SITA’s ‘Passenger Service System’, a service that handles transactions from ticket reservations to boarding.

Here is SITA’s statement:

“SITA confirms that it was the victim of a cyber-attack, leading to a data security incident involving certain passenger data that was stored on SITA Passenger Service System (US) Inc. servers. Passenger Service System (US) Inc. (“SITA PSS”) operates passenger processing systems for airlines.

After confirmation of the seriousness of the data security incident on February 24, 2021, SITA took immediate action to contact affected SITA PSS customers and all related organizations.

We recognize that the COVID-19 pandemic has raised concerns about security threats, and, at the same time, cyber-criminals have become more sophisticated and active. This was a highly sophisticated attack.

SITA acted swiftly and initiated targeted containment measures. The matter remains under continued investigation by SITA’s Security Incident Response Team with the support of leading external experts in cyber-security.

If you are the customer of an airline and have a Data Subject Access Request in relation to the handling of your personal data, this request must be made directly to that airline in accordance with GDPR and data protection legislation. SITA is unable to respond directly to any such request.”

Multiple airlines were impacted

According to Lufthansa, it appears that intruders entered the reservation system of an Asian airline that is a Star Alliance member between 21st January and 11th February.

All Star Alliance airlines share details of all of their elite members with each other, to allow status members to be identified.

What is odd is why other non-Star Alliance airlines are contacting members. It doesn’t explain why BA believes that Executive Club passenger data was being kept by this Asian airline.

Airlines reported to have emailed passengers about the breach include Lufthansa (reportedly the largest data set), Air New Zealand, Singapore Airlines, SAS, Cathay Pacific, Jeju Air, Malaysia Airlines and Finnair.

Most of the airline emails I saw were pretty sanguine. They said, in effect, “Yes, someone has got your frequent flyer account number, but you shouldn’t worry about it because they don’t have your password.“

This is correct. Some, but by no means all, stolen data sets reportedly had a name attached to the frequent flyer number. The only way your account could be hacked is if your name – a name presumably shared by many people – appears on another hacked ID list from a different company, and the password leaked in that breach was the same as your BA password. Unlikely? Yes, but clearly not impossible.

What did British Airways do?

For once, British Airways took an IT breach far more seriously than anyone else. Perhaps too seriously.

On Friday night, it locked people out of their BA accounts. Unfortunately, ba.com has a very complex and buggy system for resetting passwords, which doesn’t work properly if you are logged in. It also requires 2FA. Weirdly, once you had reset your password, many people were asked to change it again and could only regain access after the 2nd change.

Many people were blocked from logging in via their membership number, and only email addresses were being accepted. Some couldn’t use their email address either but found that their user name, which BA tried to phase out years ago, worked. People appeared to have specific difficulties resetting passwords using Chrome, whilst Firefox worked fine.

And then …. it went away

Overnight from Friday to Saturday, BA appears to have removed all blocks. If you spent time resetting your password on Friday, you had wasted your time. If you’d left your account alone it would have been functioning fine yesterday.

For some reason BA seems to have decided that it had overreacted. This is possibly due to a call centre meltdown from people who were trying to reset their passwords but couldn’t. BA may have decided that it couldn’t afford to have its telephone lines blocked out with password queries for the next few days.

All very odd. However, as they say, ‘there’s nothing to see here’.

Although, if you feel that your mental health has been severely impacted by this, write down the details. You may be in for a few quid ……

---

How to earn Avios from UK credit cards (April 2024)

As a reminder, there are various ways of earning Avios points from UK credit cards.  Many cards also have generous sign-up bonuses!

In February 2022, Barclaycard launched two exciting new Barclaycard Avios Mastercard cards with a bonus of up to 25,000 Avios. You can apply here.

You qualify for the bonus on these cards even if you have a British Airways American Express card:

There are two official British Airways American Express cards with attractive sign-up bonuses:

You can also get generous sign-up bonuses by applying for American Express cards which earn Membership Rewards points. These points convert at 1:1 into Avios.

Run your own business?

We recommend Capital on Tap for limited companies. You earn 1 Avios per £1 which is impressive for a Visa card, along with a sign-up bonus worth 10,500 Avios.

SPECIAL OFFER: Until 12th May 2024, the Capital on Tap Business Rewards Visa card is offering a bonus of 30,000 points, convertible into 30,000 Avios. You must have a Limited Company to apply. Click here to learn more and click here to apply.

You should also consider the British Airways Accelerating Business credit card. This is open to sole traders as well as limited companies and has a 30,000 Avios sign-up bonus.

There are also generous bonuses on the two American Express Business cards, with the points converting at 1:1 into Avios. These cards are open to sole traders as well as limited companies.

Click here to read our detailed summary of all UK credit cards which earn Avios. This includes both personal and small business cards.