-
A good friend of mine was having difficulty logging into his account last week, despite being 100% sure he knew his login and password. He clicked the “For My Password” link multiple times but nothing came into his inbox/junk. Eventually, he called BA (which took hours) only to be told that he would get sent a password re-set link. Nothing.
Again he tried calling BA but eventually he was told that his email address had been changed to a random string of text. The only advice he was given was never to log in using your email. just membership number.
Today his account has been locked for 2 weeks due to “suspicious activity” (talk about after the horse has bolted) and on calling BA yet again was told that 300,000 Avios have been transferred out of his account to a Qatar account.
I tweeted BA over the weekend to ask whether they have suffered another data breach and whether this has been reported to the ICO. I’m get to get a response.
Who would have thought that Avios were so valuable that people would steal them?
But as a bit of advice, if you haven’t changed your password in a while, please think about doing it.
This forum is full of posts where Nectar accounts were hacked unfortunately.
Brave new world, protect your points and miles.There is a specific email for BAs data protection officer – available on the website.
Twitter isn’t going to work especially when they will be dealing with people with cancelled and delayed flights due to the weather.
There’s a topic about this already: https://www.headforpoints.com/forums/topic/avios-stolen-contacting-ba/
There is a specific email for BAs data protection officer – available on the website.
Twitter isn’t going to work especially when they will be dealing with people with cancelled and delayed flights due to the weather.
I tweeted on Friday when my friend told me he couldn’t gain access to his account, 48 hours before the storm hit. Unless of course, you think that BA does that amount of planning. I’m sceptical.
You said the weekend now you say you tweeted them on Friday!
And yes twitter is busy whatever the day of the week storm or no storm.BA has cancelled and delayed flights every day of the week storm or no storm and dealing with people on cancelled and delayed flights whatever the cause take priority.
And yes they also proactively cancel flights based on forecast.
It’s unlikely to be a fresh BA data breach (they would have to had report it in 72 hours so we should have heard by now) – more likely that your friend uses the same email and password combination on a different website that has been hacked in the past. This data is available on the dark web along with tools that will test the combinations on other site. If your friend puts their email address into the “Have I been pwned” website, they will probably find the culprit
I don’t know if it’s in any way connected but I got alerts that someone had tried to access 2 of my email accounts from Germany on Friday. Fortunately I saw these fairly soon after they were sent and changed my passwords and (fingers crossed) all my points and avios seem to be intact!
Hmm that site says one of my emails has been in 9 data breaches!
It’s unlikely to be a fresh BA data breach (they would have to had report it in 72 hours so we should have heard by now) – more likely that your friend uses the same email and password combination on a different website that has been hacked in the past. This data is available on the dark web along with tools that will test the combinations on other site. If your friend puts their email address into the “Have I been pwned” website, they will probably find the culprit
I work in cyber risk and compliance so I know the score. It was more an attempt to elicit a response from BA. If they had experienced a breach it must be reported by law within 72 hours, however the law is not always the priority for some organisations – not that I am suggesting that BA are not adhering to their legal obligations.
It does highlight the shocking state of BA’s IT. They had an outage 2 days ago. About time they thought about multi factor authentication.
All breaches do not have to be reported. Only those that are likely to pose a risk to ‘rights and freedoms’ of those affected.
Even those that are reported to the regulator don’t necessarily have to lead to informing all affected customers.
There are many breaches every day that the public never hear about. And that is perfectly within the law.
Hmm that site says one of my emails has been in 9 data breaches!
One of the unfortunate joys of having an online presence! Make sure you have changed the passwords on those nine sites in particular, and also make sure you do not use that email address and password combination on any other site.
All breaches do not have to be reported. Only those that are likely to pose a risk to ‘rights and freedoms’ of those affected.
Even those that are reported to the regulator don’t necessarily have to lead to informing all affected customers.
There are many breaches every day that the public never hear about. And that is perfectly within the law.
Absolutely true – stray emails and all that, but this is a scenario where the breach would have exposed so much personal information (addresses, passport details, travel plans, credit cards etc), the end user could not log in, and lost avios, I cannot see it not being public if it happened.
It’s unlikely to be a fresh BA data breach (they would have to had report it in 72 hours so we should have heard by now) – more likely that your friend uses the same email and password combination on a different website that has been hacked in the past. This data is available on the dark web along with tools that will test the combinations on other site. If your friend puts their email address into the “Have I been pwned” website, they will probably find the culprit
I work in cyber risk and compliance so I know the score. It was more an attempt to elicit a response from BA. If they had experienced a breach it must be reported by law within 72 hours, however the law is not always the priority for some organisations – not that I am suggesting that BA are not adhering to their legal obligations.
It does highlight the shocking state of BA’s IT. They had an outage 2 days ago. About time they thought about multi factor authentication.
I suspect that subtly about GDPR might be lost on the BA Social media team (if they were not told about a data breach in their briefings, they will ignore the comment) but I agree on the multi factor authentication, and how frustrating BA’s IT was all weekend
I hate to think how badly BA could implement MFA. I’m sure they’d make it as annoying as possible.
I hate to think how badly BA could implement MFA. I’m sure they’d make it as annoying as possible.
I suspect they would inadvertently implement AFA, Any Factor Authentication.
Ironically they seem to have implanted 2FA on their Avios earning e-store shopping site. Recently been asked for a code sent to my mobile phone which did all work.
I suffered the same fate on Jan 13. Exec club account compromised, email changed and 200k avios stolen from my account to a Qatar Airways account. I passed security questions on the first phone call when I realised something was wrong, but I no longer pass the security questions.
In any case, I’ve been told only verbally that my account is locked and is under investigation. I asked for a written communication to my originally registered email address but this has not happened.
I was told the investigations team would be in contact when and if they needed to confirm any account activity. I pointed out that if using my current (fake) account details, they would be contacting the thief to verify and not myself…….
- You must be logged in to reply to this topic.
Popular articles this week:
