BA Executive Club security breach

Today I received an email from the BA Exec Club, as below.

I’ve not yet reset my password as wasn’t convinced the email was real, so investigated a bit & found that I’m far from the only one. In fact my husband also received the same email & has reset has login details – all his Avios have been wiped. Silver cardholder line was too busy to take calls & was automatically disconnecting him when he called.

Far from ideal – I dread to think what has happened to my not insignificant bundle of Avios when I get my login reset.

I note they couldn’t even address it to me, just a generic “customer”

“Dear Customer

British Airways has become aware of some unauthorised activity in relation to your Executive Club account.

This appears to have been the result of a third party using information obtained elsewhere on the internet, via an automated process, to try to gain access to your Executive Club account.

We understand this was login information relating to a different online service which you may have also used to access your Executive Club account.

We would like to reassure you that, although it does appear that the login attempt was successful, at this stage we are not aware of any access to any subsequent information pages within your account, including your flight history or payment card details.

We have now locked down your online account to protect it from further access. As part of the lock-down process we have also changed your password and you will need to reset it before you are able to use your account.

Please click here and follow the password reset process.

If you use the same login details for your Executive Club account as you do for your online accounts with any other organisations, we would also recommend that you change the passwords for these accounts, as well as exercising vigilance regarding any unusual or suspicious use of your personal data.

For a short period of time, as a precaution, we have also suspended the use of Avios on your account. We will let you know when this suspension period is over.

In the meantime, however, if you wish to spend your Avios please contact us via your local Executive Club service centre. We will be able to reactivate your account by asking you some additional security questions.

We are sorry for the concern and inconvenience this matter may have caused you and would like to reassure you that we are taking this incident seriously.

British Airways Executive Club team”

CityRiskBoy – I too received this e-mail, have changed my password and now find that my Avios have been reset to 0, presumably as BA’s way of auctioning

“For a short period of time, as a precaution, we have also suspended the use of Avios on your account. We will let you know when this suspension period is over.”

In the circumstances, I am happy that they have done this and, provided that the Avios find their way back into my account in due course, will not see this as a major issue.

Which is why, CityRiskBoy, I am a bit bemused by your determination to see compensation………

I don’t have many Avios left, compared to some (tens of thousands) and my account has not been locked down.

Nonetheless, this episode has seriously dented my confidence, as BA does not seem to have issued any general statement about what is going on, so it is difficult to assess how serious it is (although reference to the thread in Flyertalk suggests it is not a trivial problem.)

Accordingly, I have just been to my BAEC account, changed the password to a stronger one (although I’m not impressed that one can only use numbers and letters, not special characters, which make passwords stronger) and I have removed my address, contact numbers and passport details, replacing them with meaningless words and numbers.

Edited to add: I am able to do this, as I have no plans to use BA in the near future, so do not need pre-populated APIS, contact details etc.

TominScotland – 28/03/2015 05:36 GMT – if a company let my household account be hacked (which means they did not protect my personal data), I would be looking for compensation, too. I can only think that you did not read CityRiskBoy’s post carefully, his situation is different.

mkcol74 – 27/03/2015 21:28 GMT

I think you were wise to assume that the BA email was a phishing attempt, does anyone else find it surprising that a company would send out such an email, in the classic format that the crims use? If I got such a mail, it would be deleted immediately without clicking on any links. Looks like a poor show to me.

Just phone the BAEC Gold Line and immediately was through to a very helpful lady who confirmed that the removal of Avios was purely precautionary and she sent a message to her colleagues to ensure that they are returned early next week. If I do need to make an Avios booking in the meantime, they will handle this via the Gold Line.

I thought that the password resetting communications were appropriate and simple to action.

In fact the resetting link generates an e-mail to your nominated account which, in turn, allows you to resit your password. Reasonably secure, I think

I also got the email, but as an IT Professional dealt with it as I would with every suspicious email: Donot click on any links (surely we all can go to a new webpage, login to BA and reset the password in the usual way?). Then I called BA to ask for authenticity of the email.
They confirmed, and although I am busy flying (BA), I am trying to sort out the issue.
@SimonS1 thank you for research, I too use Awardwallet, and have now changed all passwords that are registered through that app.

I agree with many of you, that this breach is quite serious but my impression was BA handled it quite professionally ( yeah, link in email isn’t great), and have given me confidence they are taking it seriously and are set up to handle security breaches almost to the standard of a financial institution; that’s quite good isn’t it?
My account is locked, and I am promised all Aviois points will be returned. I can still check in for flights and book calling BA, so I am happy to wait a few days for BA to sort it out.

@mkcol74 a of course, you are right, in this case you cannot reset your password because your account is locked 🙂 my point was just that in general I would not click on a link in a email but use the “normal” way to do things like reset the password.
Interesting many of you here say your Avios are shown as NIL? How do you know if you cannot access your account? Even the BA app doesn’t update so shows old Avios value…