Back in late March, British Airways had a bizarre situation whereby they locked thousands of Executive Club members out of their accounts and took all of their Avios. Apparently they locked all accounts which were using third parties to access their Executive Club accounts. In other words, they locked the accounts of anyone who uses services like AwardWallet to monitor their points balances.
The communication on the part of British Airways was abysmal — they locked accounts, then emailed members, and then took several days before they actually made the Avios balances available again. It sounded like a very limited number of accounts (if any) were hacked, and then they sort of just panicked, as if it were the first time they heard of services like AwardWallet.
But apparently that saga isn’t over completely… at least for my account. On Saturday I received the following email from British Airways, which I found bizarre:
Thank you for contacting the Club – it’s nice to hear from you.
To achieve Gold membership you need to earn 1,500 Tier Points in your Tier Point collection year, as well as take four eligible flights.
We recognise there are times we can be more flexible for our Members, especially for our most loyal travellers, and we are always working to develop the Executive Club and its benefits, so your comments are important to us.
I’ve considered everything you mentioned, but as you did not complete any eligible flights or earn any Tier Points, I’m sorry to say I am unable to upgrade your membership.
As someone who flies with us as often as you do, I know this is not the answer you were hoping for and I am sorry I could not be more helpful on this occasion.
As an AAdvantage Executive Platinum member, remember you still share many of the same benefits of Gold membership. For instance, you can enjoy priority check in and boarding and take advantage of extra baggage allowance.
Thank you for giving me the opportunity to respond to your concerns and I do hope you will fly with us again in the not too distant future.
If you would like to contact me again about this case please click on this link:
www.ba.com/your case
Apparently I requested a status match or to be upped to Gold status (and noted I’m an Executive Platinum with American)… only I never did.
Then the following day I received the following email from British Airways:
You may recall the Executive Club placed your account under audit 27 March as part of a larger data incident. After you changed your log in details, and since releasing your account on 30 March, we have continued to monitor it for unusual activity.
I am contacting you because since updating your information with the Executive Club, we have continued to regularly monitor your account. I have checked online, and I can see your personal information has been breached somewhere. Although your information with British Airways has not been compromised, if you have used the same user name or password with us, you should change this as soon as possible. For more information on what information has been breached and the source of this breach, there are a number of web sites you can review, including https://haveibeenpwned.com/.
If you would like me to place your Executive Club account in audit again whilst you secure your identity, please do let me know. Remember, your account will remain in audit for up to three months or until you contact us to have it removed, whichever is sooner.
We will monitor your Executive Club account on a regular basis all the time that it remains in audit and investigate any irregular activity.
May I suggest that for additional security you change your password regardless and also if possible change your email address as well.
Then on top of that I received several emails regarding retroactive mileage claims I apparently requested.
These were all for flights I never took, and suffice to say, for flights I didn’t claim retroactive mileage credit for.
Bottom line
This is a first for me. I find it especially interesting that they’re somehow connecting this to the March 27 breach, because as far as I know nothing happened to my account then.
But I can’t actually figure out what happened to my account here. It’s one thing if someone was trying to steal my Avios, but I’m not sure what they’re hoping to accomplish by requesting a retro-mileage claim or trying to get my status upped.
Anyone have ideas as to what’s going on, or experience something similar?
Thought you might find this email interesting:
Thank you for your patience while we have been investigating how your Executive Club account was compromised. Please accept our apologies for the difficulties that you have experienced due to this incident.
Due to several attacks against various companies and websites in recent years, some of our customers have found that their email addresses and some of their passwords have been included on lists made available on...
Thought you might find this email interesting:
Thank you for your patience while we have been investigating how your Executive Club account was compromised. Please accept our apologies for the difficulties that you have experienced due to this incident.
Due to several attacks against various companies and websites in recent years, some of our customers have found that their email addresses and some of their passwords have been included on lists made available on the internet. These lists were not compiled using data stolen from British Airways but are the result of attacks against third parties unrelated to British Airways.
The email address you were using on your account is included in a list of personal data that has been shared on several websites. You can see references to your email at https://haveibeenpwned.com , for example. The information available in this list is likely to have been enough to gain access to your account, particularly if you tend to use the same password for multiple websites.
Unfortunately, the unauthorised user would have had full access to your own account and any information about you stored on it. The other Members in your Household account would not have been compromised, unless at any time the email address on their accounts was shared by you. However, the third party would have been able to see their names and membership numbers.
I can certainly understand how concerned you must feel about this incident. Our Audit team are continuing to monitor your account. Please make sure you are using a strong password that is not in use on any other website. You should also secure your identity with any other website where you used the compromised email address as your email address or user name.
I have no idea.
My account was locked and Avios removed a few weeks before the devaluation when I was trying to use them for redemptions. I was really annoyed with the lack of communication from BA.
My guess: to a small but real slice of the world, you are a celebrity, with all the exposure that comes with that to attempts to access and disrupt your life. Someone either has hacked your account, or equally likely is "phishing" for access to it.
At the very minimum, if you haven't done so already you need to change every single password related to travel, email, social media and banking to something unique...
My guess: to a small but real slice of the world, you are a celebrity, with all the exposure that comes with that to attempts to access and disrupt your life. Someone either has hacked your account, or equally likely is "phishing" for access to it.
At the very minimum, if you haven't done so already you need to change every single password related to travel, email, social media and banking to something unique and unhackable by brute force methods or basic social engineering.
Personally I'd recommend a combination of 1Password and Diceware (see this blog entry at 1Password's site: https://blog.agilebits.com/2011/06/21/toward-better-master-passwords/).
These are good precautions for everyone to take, of course, and maybe you already have genuinely secure passwords and other protections in place. But if not, it's time to get cracking, so to speak. The good news is that password managers like 1Password make it pretty easy to maintain a high level of personal security . . . on your end. You can't do much about the servers run by the companies who store your data, but compared to your celebrity risk, which is exceptionally high (ask Jennifer Lawrence), that broader, general-public risk is relatively low if your passwords are truly unique and unguessable.
Yep, sounds like some unimaginative soul thought it might be a good idea to pretend to be you and claim for flights they think you've taken. Hope it gets sorted out soon.
Someone hacked your account and is trying to get avios. See if you can change your login credentials there and for all award wallets you're using.
Maybe someone trying to make up for that time they cancelled your Paris flight and rebooked you Raleigh - Los Angeles by getting you extra miles and status with BA?
https://onemileatatime.com/someone-decided-to-cancel-my-tickets-remember-to-protect-your-travel-plans/
@ Gary Leff -- Hahahahaha!
Im having a similar problem not being able to access my executive club account. I did use award wallet to check my balance. Ive been trying for weeks to get someone at BA to help me straighten out the problem and get access to my account again but so far no luck. I
I got my account breached a month ago. Try and escalate to audit, but beware, they will lock your account again for a month.
well you're blog famous and we are not so... You tell us!
"For more information on what information has been breached and the source of this breach, there are a number of web sites you can review, including https://haveibeenpwned.com/."
HAHA. so professional-sounding. Great site though, I'll admit
Something strange going on here for sure. I would call ba and escalate the issue. My first reaction is someone has been trying to hack your account.
Would be interested to hear what happens.
Good luck.
This does not seem to be much of a mystery to me. Looks like someone is following your blog and is trying to claim retrospective Avios for flights that you have taken, so that they can then spend those Avios quickly on something or transfer them.
Have I been pwned .com? No way that's a safe website or that email is actually from BA.