I logged in this afternoon to find my Avios returned, at some point between 3pm and 7pm UK time.
So that’s good news!
But there’s still no explanation from BA on what happened. I’d really like some more information on the hack. Was it a hack of BA, or a third party as I got the initial impression?
What I don’t buy is a hacker(s) obtaining a password list elsewhere. I use unique and complex passwords for every site. For me the hackers obtained the password via a third party that had access to the account (TripIt in my case), or a flaw in BA’s systems that allowed access.
But… What do I mean when I say access? I’m not sure, as BA aren’t being forthcoming. How do they know who was accessed? Was it just the case that any account that had automated tools accessing was blocked just in case?
Were perhaps a few accounts breached and had Avios and personal details stolen, and BA took these measures as a precaution? Or do they have concrete evidence of misuse on every account?
To say they don’t have evidence of details being stolen does, to me, suggest that there weren’t people logging in, browsing around. It sounds like they have an identifiable pattern to match to the hack – a source IP, an API query, a format of automated messages? Or perhaps they have no idea at all…
The odd thing, I have only heard of one case of Avios misuse so far from other blogs and Twitter – the case of the couple who had a hotel booked in Spain. If this was as big as the number of blocked accounts suggests, I’d have expected to see more…
My passport and credit card details are on there, and that makes me nervous without BA providing more information on what they detected, and how they know the impact.
And so far there isn’t even a message on the website, or a follow up email.
Update 2000 UK time – I just received the following email from BA: