British Airways Freezes Executive Club Accounts After Hack (Update: Avios Points Now Available)
UPDATE: British Airways restored the Avios of the breached accounts and sent an email to inform the affected customers. According to the statements lifted from the email, the company assured customers that their accounts have been checked and that no points or information pages were compromised as a result of the breach:
"Following our recent communication about some unauthorised activity in relation to your Executive Club account, we are pleased to inform you that we have completed our internal audit of your account."
"At this stage we are not aware of any access to any subsequent information pages within your account, including your flight history or payment card details."
"We also do not believe, at this stage, that any Avios have been removed from your account, so we have now lifted the precautionary suspension on your account and you are free to use it as you wish."
British Airways continues to remind customers to change their passwords as a result of the hack by following the "“Forgotten PIN/Password?” link on their home page. Similarly, those who were affected are advised to monitor their British Airways Executive Club Avios points and ensure that all their other online accounts are safe.
Note that there is a good chance that users of other rewards programs or online services may be targeted in a similar manner. These days, it is not only financial accounts that need to be monitored, but services like these that may reveal personal data.
British Airways froze thousands of Executive Club frequent flier accounts on March 27, Friday after confirming “unauthorised activity” from a third party in them. The number of affected users is unclear, but various news outlets claim that tens of thousands may be affected. Some users claim that customer service agents told them "over a million" accounts were affected.
“This appears to have been the result of a third party using information obtained elsewhere on the Internet, via an automated process, to try to gain access to some accounts,” says a British Airways spokesperson to the Guardian.
Based on the following email sent by British Airways to affected customers, their accounts were hacked by cybercriminals from other accounts that use the same passwords :
Screenshot of a British Airways email to a hacked Executive Club customer
However, it is possible that cybercriminals got hold of a list of credentials for a travel-related third party service, which users can easily sign up for, and reused user names and passwords to access British Airways frequent flier mile accounts. A number of third party services for travelers include features that monitor and access users’ frequent flier accounts. So, if this is the case, other frequent flyer accounts also registered with these services may be at risk.
Avios, Amigos
For now, British Airways Executive Club fliers may need to go through extra steps to be able to use Avios, a major inconvenience for those who wish to use their miles in the near future. Additionally, it hampers those who were planning to claim their Avios rewards such as hotel stays and car rentals.
This may be a stressful break for the British Airways, which houses millions of clients under its frequent flyer program and has earned €1.22 billion (US$1.32 billion) in profit in 2014. The company has claimed that they are still unaware of access to customers’ information pages that contain flight history or payment card details. Although it is likely that cybercriminals may try to transfer and use frequent flier points, this can easily be reverted using additional security measures by the company in question, which in this case is the International Consolidated Airlines Group, S.A. (IAG).
Best Practices
Here are what you need to do if you are affected by this breach:
- Monitor your frequent flier rewards points not only from British Airways, but those gained from other travel companies as well.
- Revisit the access and amount of information you are allowing travel-related apps, and, if possible, revoke access and change the passwords for all accounts that use identical passwords.
- Either use strong passphrases with a healthy combination of alpha-numeric symbols that’s easy for you to memorize, or use a secure password manager that generates and keeps multiple strong passwords for you.
[Download: How to Secure Multiple Online Accounts]
Like it? Add this infographic to your site:
1. Click on the box below. 2. Press Ctrl+A to select all. 3. Press Ctrl+C to copy. 4. Paste the code into your page (Ctrl+V).
Image will appear the same size as you see above.