My Avios are back!

I logged in this afternoon to find my Avios returned, at some point between 3pm and 7pm UK time.

So that’s good news!

But there’s still no explanation from BA on what happened.  I’d really like some more information on the hack.  Was it a hack of BA, or a third party as I got the initial impression?

What I don’t buy is a hacker(s) obtaining a password list elsewhere.  I use unique and complex passwords for every site.  For me the hackers obtained the password via a third party that had access to the account (TripIt in my case), or a flaw in BA’s systems that allowed access.

But…  What do I mean when I say access?  I’m not sure, as BA aren’t being forthcoming.  How do they know who was accessed?  Was it just the case that any account that had automated tools accessing was blocked just in case?  

Were perhaps a few accounts breached and had Avios and personal details stolen, and BA took these measures as a precaution?  Or do they have concrete evidence of misuse on every account?

To say they don’t have evidence of details being stolen does, to me, suggest that there weren’t people logging in, browsing around.  It sounds like they have an identifiable pattern to match to the hack – a source IP, an API query, a format of automated messages?  Or perhaps they have no idea at all…  

The odd thing, I have only heard of one case of Avios misuse so far from other blogs and Twitter – the case of the couple who had a hotel booked in Spain.  If this was as big as the number of blocked accounts suggests, I’d have expected to see more…

My passport and credit card details are on there, and that makes me nervous without BA providing more information on what they detected, and how they know the impact.

And so far there isn’t even a message on the website, or a follow up email. 

Update 2000 UK time – I just received the following email from BA:

Following our recent communication about some unauthorised activity in relation to your Executive Club account, we are pleased to inform you that we have completed our internal audit of your account.

We are continuing to investigate this incident, which we understand was the result of a third party using information obtained elsewhere on the internet to gain access to Executive Club accounts.

At this stage we are not aware of any access to any subsequent information pages within your account, including your flight history or payment card details.

We also do not believe, at this stage, that any Avios have been removed from your account, so we have now lifted the precautionary suspension on your account and you are free to use it as you wish.

However, if you haven’t yet changed your password as a result of last Friday’s email from British Airways, please visit the British Airways website and follow the “Forgotten PIN/Password?” link, which can be found in the top right hand corner of our main home page.

We would recommend that you continue to be vigilant about any unusual or suspicious use of your personal data.

If you use the same login details for your Executive Club account as you do for your online accounts with any other organisations, we would also recommend that you change the passwords for these accounts.

We are sorry for the concern and inconvenience this matter has caused you and would like to reassure you that we are continuing to take this incident seriously.

British Airways Executive Club team

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s