Maximise your Avios, air miles and hotel points

Forums Frequent flyer programs British Airways Executive Club Account hacked – case resolution

  • norm29 4 posts

    Hi all, in January I had my BA account hacked and 400k points transferred to a Qatar account that wasn’t mine. As soon as I saw the emails I called BA to suspend my account. It’s been >6 weeks since, the case is still open, no way of chasing/following up for status update with a real person, chatbot says

    “OK, your case is currently in the queue.
    Your complaint or claim is currently pending review by our team.
    We’re sorry it’s taking longer than you’d expect to receive a response from us. Please know that we’re working hard to get to your case as soon as possible.”

    Any other experience and how long should I expect to wait? Any options for escalation?

    Thanks, Andy

    PeteM 804 posts

    Email Sean Doyle directly – hopefully the executive complaints team (who will pick it up) will be able to help.

    Blair Waldorf Salad 1,190 posts

    Whoa, 6 weeks without knowing the source of the fraud. You could be susceptible to more attacks. I’d be reporting to Action Fraud and submitting a DSAR to try to uncover the vulnerability myself.

    Stephen 53 posts

    Email Sean Doyle directly – hopefully the executive complaints team (who will pick it up) will be able to help.

    Do you have an email address for Sean?

    I’ve tried seanl.doyle@ba.com with no luck

    Mikeact 252 posts

    Whoa, 6 weeks without knowing the source of the fraud. You could be susceptible to more attacks. I’d be reporting to Action Fraud and submitting a DSAR to try to uncover the vulnerability myself.

    And just what would Action Fraud do ? Nothing, in my experience . Just adds to their statistics .

    PeteM 804 posts

    Email Sean Doyle directly – hopefully the executive complaints team (who will pick it up) will be able to help.

    Do you have an email address for Sean?

    I’ve tried seanl.doyle@ba.com with no luck

    Hmm! That’s the one I’ve used before…

    Blair Waldorf Salad 1,190 posts

    Whoa, 6 weeks without knowing the source of the fraud. You could be susceptible to more attacks. I’d be reporting to Action Fraud and submitting a DSAR to try to uncover the vulnerability myself.

    And just what would Action Fraud do ? Nothing, in my experience . Just adds to their statistics .

    Yes exactly; adds to the stats that BA is a soft target and loyalty points theft is a material loss.

    norm29 4 posts

    Thanks for the replies, I’ll email Sean Doyle and review the Action Fraud route. Password has been changed, 240k ish still in there but account is locked ‘for my security’…

    BeckyA 1 post

    Hi All,
    On 8th December 2023, I received an email saying that my account had been linked with a Nectar card and almost immediately 50100 Avios points were exchanged, I quickly called BA, as i don’t have a Nectar card and didn’t do this, so they blocked my account saying that this was happening a lot and would investigate, it would take a few weeks but they would sort it. On 17th January i still had not heard anything so called again, again i got told that they would look into it and to wait around 2 weeks, they was going to prioritize it! In middle of February i made an online complaint, which when checking its status today has been closed and resolved. I don’t know how because i have not heard anything and my account is still blocked and Avios points still are missing. I have called today and they are going to unlock my account but nothing has been done in the 3 months to investigate or resolve this. I am now looking for an email address to contact them to give them one last chance before taking this further. I am so angry at them for doing nothing and especially for breach of privacy which must come from BA’s side, which they pretty much admitted to me when confirming it had happened to a lot of others. I have spend thousands of pounds with them and a Silver member and they do not give a fig! I would be very grateful if anyone has an email address to contact them, so i can put in words my frustration.

    NorthernLass 8,493 posts

    The Sean Doyle email address is above.

    What further action are you planning to take – genuinely interested in case this ever happens to me?!

    Also, has anyone ever had confirmation that Action Fraud would a) consider this a crime (other than a possible data breach) or b) carry out any sort of investigation?

    In any case, avios belong to BA, so it would be down to them to report any loss and/or instigate an investigation. It’s also highly likely that many breaches originate abroad, so no agency in this country would have any jurisdiction to do anything about it anyway.

    NorthernLass 8,493 posts

    @BeckyA, did you also contact Nectar – I don’t know if your account showed any details of the Nectar account your avios had been transferred to? From previous reports on here this is a very easy route for scammers, though the normal route is to obtain someone’s Nectar details and drain their account of points rather than involve avios.

    Misty 313 posts

    @BeckyA

    So sorry to read this, that is a lot of avios just to disappear.

    I seem to check my BAEC account most days as I live in dread of my account being hacked, and would want to report it immediately, however it seems like Ex Club either do not want to know or have no systems in place to sort it out. It is particularly galling when they say oh we know about this it’s happened to other, and still do nothing.

    I appreciate that the Avios belong to BA, but when you have spent a fair amount of money Boosting and taking out Subscriptions, you have spent hard cash on them, so it seems harsh that there appears to be no recompense for this.

    NorthernLass 8,493 posts

    Obviously the resolution people want is their avios back, but only BA can effect this, so it’s a case of being persistent with them. What’s going on within BA systems that people’s accounts can be accessed and avios removed is something we never hear about, of course I would love to know what BA does to address this. I imagine people have been sacked, but these things are usually dealt with in-house, so it’s unlikely that any other action is taken.

    I would also be kicking up a fuss with Nectar as this transaction will presumably be logged in their system somewhere and as a UK-based company they are probably more likely to be able to offer concrete information about where those points went.

    Cranzle 279 posts

    Does anyone have any advice on preventative measures?

    NorthernLass 8,493 posts

    Change your password often and keep an eye on your account activity is about all you can do. I presume that in the case of inside jobs, it doesn’t even matter how strong your account security is because they have a certain level of access to it anyway. The Nectar thing was getting ridiculous, though I hadn’t seen any new posts about those scams for a while.

    simonbarker 61 posts

    Changing your password often is less important than simply not using the same password on multiple sites. Password reuse is the number one reason other accounts get hacked.

    Put your email address into https://haveibeenpwned.com and if your email address appears in any nefarious/hacked data sets you will get an email alert so you know the source of the leak and how bad it was. I get an email every few months with some notification that my data has appear in some big dataset that’s been hacked from somewhere.

    norm29 4 posts

    The Sean Doyle email address is above.

    What further action are you planning to take – genuinely interested in case this ever happens to me?!

    This is my concern, there’s no point of escalation bar being a nuisance and complaining publicly on social media. I emailed Sean, no automatic response but I wont hold my breath.

    John 1,095 posts

    Didn’t they introduce the 10-14 day wait for avios>nectar conversions to combat this exact type of fraud? So if someone contacted BA within that period, I would have thought BA could immediately cancel the transaction without loss to anyone.

    NorthernLass 8,493 posts

    Yes, and another reason to contact Nectar, even if you’re not a customer. They should have records of which customer those points are going to and at the very least could freeze the account. Also, if the points have already been converted and spent, there should be a record of whose card was used and where the transaction took place. Sainsbury’s don’t seem hugely bothered by this kind of thing, though, but might start being a bit more pro-active about preventing it if more people started drawing attention to it.

    The flow of points isn’t like a flow of cash though, and there’s no legislation to specifically deal with it.


    @simonbarker
    , I’m no IT expert but I’m not sure it would be worth the effort of actual hacking for a few thousand loyalty points that can’t easily be converted to cash (you can buy goods with Nectar points but these would have little resale value to a criminal). Rather, I think that more often it’s employees who are behind this and it’s unclear how much effort (if any!) companies put into combatting this kind of behaviour. I would have thought that real computer hackers would be more interested in obtaining credit card details or personal data which are much more lucrative for them.

    PeteM 804 posts

    Does anyone have any advice on preventative measures?

    Using a password manager like 1Password (hence using unique, strong passwords for every website) and enabling 2F authentication where available. Hopefully with the latter being introduced to the BA site soon, these cases should reduce!

    NorthernLass 8,493 posts

    What this also highlights is the importance of safely filing all confirmation emails from BA, in the event that your account gets locked and you are travelling before it gets resolved (highly likely, by the sound of it!) Then as a last resort you have booking references and ticket numbers to present at the airport if you can’t access your account/do OLCI.

    Ihar 237 posts

    Using a password manager like 1Password (hence using unique, strong passwords for every website) and enabling 2F authentication where available. Hopefully with the latter being introduced to the BA site soon, these cases should reduce!

    Absolutely! I have LastPass (don’t judge!) and have almost 500 passwords stored. Every one unique, and about 3 I know. The biggest security risk is re-using passwords across sites/apps. That way hackers only need to hack the most insecure site to get your credentials.

    Apart from the 3 passwords I know (my vault, my email, my Microsoft acct), I have no idea. One of those 500 passwords is $KwV3&mYW6S7q7Ep . I have changed 2 characters 😉 Good luck using the info to hack anything (or remembering it!)

  • You must be logged in to reply to this topic.

The UK's biggest frequent flyer website uses cookies, which you can block via your browser settings. Continuing implies your consent to this policy. Our privacy policy is here.