Maximise your Avios, air miles and hotel points

Forums Frequent flyer programs British Airways Executive Club Avios stolen (Times story)

  • masaccio 931 posts

    Story in The Times this morning that I don’t think has surfaced here before. Sorry if the person contacting The Times has already posted in the forum.

    https://archive.is/474Fl

    Basically a hack of their account to move Avios to Qatar. Followed by the usual panic at the company contacted by a national newspaper resulting in prompt resolution.

    I do wonder how effective BA’s 2FA is. I don’t think I’ve seen it asked for once since it was enabled.

    John 1,243 posts

    I’ve only been asked for 2FA to transfer to QR. But if the fraudster was the one who set up the 2FA…

    LD27 306 posts

    I read that article in The Times yesterday. I posted my recent experience earlier this month which was very similar. I was unable to access my account and check in for a flight early next morning. There were also issues at the airport, but eventually got a boarding pass. Whilst waiting to board plane I checked my emails to fine one received overnight from BAEC saying I had changed my password and if I hadn’t, I should contact them. I assumed it was a scam email. As soon as I got back to UK, I logged into my account using Executive number instead of email. Found combine my Avios had been used to transfer all my Avios to Iberia – but not to my account. A couple of phone calls and emails later, all my points were returned to my account just over two weeks after I first contacted BAEC.

    NorthernLass 9,691 posts

    It’s been noted previously that experiences seem to differ vastly for how long it takes to get a resolution in these cases.

    randomlyAlex 2 posts

    BAs 2fa is clearly an after thought, and probably poorly designed/executed.

    I enabled it, but Ive got a new 2fa device since (have access to my old one thankfully) and there is no way I can update (or even deactivate!?) 2fa to swap it over. Asked their help and they have no idea. All I can change is my password 😂

    LD27 306 posts

    BAs 2fa is clearly an after thought, and probably poorly designed/executed.

    I enabled it, but Ive got a new 2fa device since (have access to my old one thankfully) and there is no way I can update (or even deactivate!?) 2fa to swap it over. Asked their help and they have no idea. All I can change is my password 😂

    I have never been able to set up 2fa and despite having my account blocked and unlocked last week, I still can’t. If I had been able to, then maybe my Avios wouldn’t have been stolen.

    OliverBAflyer 1 post

    A week ago today my avios account was hacked, my bookings for flights were cancelled, and all my avios stollen.

    Got the “you’ve changed your email address” email during the night so didn’t spot it until the next morning.

    I’ve called Avios customer services 5 times, I’ve been promised callback and that “they’re working on the case” but I’ve had nothing back (been a week now).

    I’ve emailed several times and had no response.

    I’m worried about the data that may have been stolen too – so I submitting a DSAR to the BA DPO but got nothing apart from an automated email.

    The flights that were cancelled were for two holidays I am taking my family on. I don’t know what to do. Should I rebook them for cash and just take the hit – or should I wait for BA to “resolve” the issue.

    This has been a horrible week. Never have I ever dealt with a company that simply does care about its customers’ data. Thought they’d be keen to resolve the issue quickly… instead they’re just trying to get me to go away.

    So sad – so disappointed with BA.

    BA Flyer IHG Stayer 2,820 posts

    I’m going to be blunt here but emailing multiple times simply will not help.

    Nor will the repeated calls.

    The DSAR request is a separate matter. The auto reply should have given you a time frame for a response.

    It’s not that they don’t care but they have processes in place they need to follow such as properly investigating the account breach.

    What I would do is call once more again tomorrow and calmly speak to the agent and ask to speak to a supervisor and calmly reiterate your concerns especially about the cancelled flights and ask what BA are going to do to rebook them for you or what you should do about rebooking yourself.

    masaccio 931 posts

    Having being involved in security investigations myself at work, this stuff just takes time. Factor in the need to have some legal oversight as well and a week of not much happening is really not unusual.

    Please don’t think I am levelling this at you @OliverBAflyer, but their investigation also has to take into account the possibility that somebody might raise a case like this as part of a fraud.

    I’d add to the advice above and say you should ask for an ETA for the next step in their investigation, even if that’s not full resolution.

    Benji H 1 post

    Unfortunately, I am currently going through something similar. I woke up on 3 Aug to a BA verification code text which was sent in the middle of the night. Thought it was strange and then went on my emails and saw your email has been changed by BA. Called them up straight away and turns out 200k of my 387k of avios had been transferred (not sure where) but my BA account is already linked to Qatar and still is. Called the Gold line and they blocked my account and said someone would be in touch within 5 days. Still no contact after 2 weeks and call again and told it’s been escalated, 2 weeks later still nothing from BA so call again and told it’s been escalated again. A further 2 calls later and still waiting for someone from BA to contact me and my account remains blocked. Only positive is i’ve not had to wait more than 5mins to get through on the gold line and at least they didn’t cancel any of my bookings but BA customer service has been very poor and they should at least be keeping me informed saying it’s being looked at.

    NorthernLass 9,691 posts

    I suspect a lot of these cases are inside jobs – there should really be a facility to voluntarily lock your account in some way so that any changes or transfers have to be verified by a phone call. For me, that extra level of security would be worth not going through the rigmarole that everyone seems to endure in these circumstances!

    I appreciate that investigations take time, but as the old (pre-metric) saying goes, “an ounce of prevention is better than a pound of cure”.

    RussellH 167 posts

    What is really galling about these experiences is the total lack of communication, when communication within a specified time frame is promised.
    One would think by now that businesses would recognise this, but they clearly do not.

    It really should not be beyond BA, or others, to phone back as promised and make a brief report along the lines of:

    “Morning, this is BA CS. You phoned us a few days ago because of (xxxxx). We promised to be in contact within 5 days, but unfortunately we do not have any news for you as yet. I can assure you that we are investigating this thoroughly, and I or one of my colleagues will be in touch again within the next 5 days to let you know how we are getting on.”

    NorthernLass 9,691 posts

    It sounds as though no one in management has got a grip of the issue, but as someone posted re the similar Nectar issue, it’s probably just not a priority. I have no idea how deep they go into these transactions forensically but it’s likely to involve quite a lot of work for minimal appreciable gain to BA (difficult to quantify the value of potentially losing a customer whose future spend isn’t known).

    rams 263 posts

    I suspect a lot of these cases are inside jobs – there should really be a facility to voluntarily lock your account in some way so that any changes or transfers have to be verified by a phone call. For me, that extra level of security would be worth not going through the rigmarole that everyone seems to endure in these circumstances!

    I appreciate that investigations take time, but as the old (pre-metric) saying goes, “an ounce of prevention is better than a pound of cure”.

    Kind of related but Nectar – they emailed me a few weeks ago to say my points balance is at such a level that I need to call to use the points. Not had a use for them yet so won’t know how inconvenient it is, but thought that was an interesting step by them

    NorthernLass 9,691 posts

    Interesting- maybe worth an update on the recent-ish thread on Nectar issues!

    masaccio 931 posts

    What is really galling about these experiences is the total lack of communication, when communication within a specified time frame is promised.
    One would think by now that businesses would recognise this, but they clearly do not.

    It really should not be beyond BA, or others, to phone back as promised and make a brief report along the lines of:

    “Morning, this is BA CS. You phoned us a few days ago because of (xxxxx). We promised to be in contact within 5 days, but unfortunately we do not have any news for you as yet. I can assure you that we are investigating this thoroughly, and I or one of my colleagues will be in touch again within the next 5 days to let you know how we are getting on.”

    Ah, that would be customer expectation management. Serious black belt customer service that.

    Sigh, BA.

    Londonsteve 342 posts

    This is a terrible situation to be in, lots of empathy from me.

    Perhaps someone with knowledge of this sort of thing could post some words of advice here to advise the rest of us how we can minimise the chances of something similar happening to us?

    Misty 360 posts

    Awful to read these cases empathy from me too, I check my account probably every other day, to make sure it’s still there. Then I started to wonder if I kept logging in, would that me at any further risks.

    I’m still 99.999% convinced that when my clubcard account was hacked years ago and approx. £350 of vouchers spent it was an inside job.

    Good luck to all of those who have had their Avios taken, fingers crossed that you have a good resolution shortly.

    Wiseoldman 205 posts

    Unlike using nectar or tesco points at a shop Avios are used for booking flights; which means passports/card details. How would anyone profit from this? Even if an unscrupulous person stole avios and sold them on ebay or sold relevant flights at a discount there would be a paper trail. Boggles my “simple” mind and I ran a small bank dealing with security and now a health business with more security/encryption.

    NorthernLass 9,691 posts

    Unscrupulous/dishonest employee channels loyalty points from customer accounts to associates who then spend them or sell them. They know that even if they get caught the worst that will happen is that they will be sacked from their minimum-wage job but they’ll probably easily find another one.

    Also, businesses don’t want it being publicised that their security is rubbish and their employees untrustworthy!

    Misty 360 posts

    As an aside the Tesco’s I used to use some years ago always used to put up an enormous Christmas tree, but it used to puzzle me that year after year it was never decorated, apart from a star at the very top. One year I asked a member of staff why and their reply was there was no point as they always got nicked.

    MrWhite 114 posts

    This is a terrible situation to be in, lots of empathy from me.

    Perhaps someone with knowledge of this sort of thing could post some words of advice here to advise the rest of us how we can minimise the chances of something similar happening to us?

    I imagine it’s the usual (if you Google) of using a strong password and independent of any other password you use on other sites.

    The 2FA seems to be a bit of a joke. Rarely makes an appearance, then does for short period of time, then goes again.

    If it’s an inside job, then not much can be done by us customers. Clearly this would be BA having insufficient control to prevent employees from accessing or changing customer account details. It may not be a “hack” of the login but the ability to transfer avios from one account to another.

    Londonsteve 342 posts

    If it’s an inside job, then not much can be done by us customers. Clearly this would be BA having insufficient control to prevent employees from accessing or changing customer account details. It may not be a “hack” of the login but the ability to transfer avios from one account to another.

    Logically therefore, accounts with large balances are at greater risk of being targeted. More motivation to spend rather than hoard Avios and just keep whatever balance is essential to book last minute short-haul flights. I think BA would be quite happy if we all quickly burned through our balances, getting people to spend their accumulated points is one of their challenges.

    I was particularly concerned to read about existing bookings being cancelled. It’s one thing to have your Avios balance stolen, another to have travel you’ve already booked cancelled, potentially at great cost and inconvenience. Even if you get your balance reinstated, you won’t be compensated for having to replace cancelled flights at greater cost.

    Ihar 389 posts

    Most accounts hacked in this way (if they are isolated) are a result of password re-using – ie. You use the same password as other websites – that site gets hacked – then they password-stuff it to try and login on thousands of other sites. Maybe they get lucky….

    It can’t be an inside job as they wouldn’t have your password, and any “internal adjustments/transfers” would be logged. Unless of course you used an insecure password, then it’s possible for IT to possibly “decipher” your password.

    It can’t be difficult to find where the Avios has gone, and as there’s no “cash-out” option to cancel and reinstate them

    masaccio 931 posts

    And BA’s woeful two-factor makes password theft effective.

    @lhar you assume BA hash the passwords in their database. Incompetence is a core value it seems in BA IT.

  • You must be logged in to reply to this topic.

The UK's biggest frequent flyer website uses cookies, which you can block via your browser settings. Continuing implies your consent to this policy. Our privacy policy is here.