Should you be worried about the BA frequent flyer account hack?

Aeroplane

Some British Airways frequent flyer profiles have been hacked, according to reports, possibly affecting thousands of the company's Executive Club account holders.

A spokesperson for BA said: "British Airways has become aware of some unauthorised activity in relation to a small number of frequent-flyer Executive Club accounts.

"This appears to have been the result of a third-party using information obtained elsewhere on the internet, via an automated process, to try to gain access to some accounts."

The airline said that no names, addresses or bank details were viewed or stolen by the intruders.

"We would like to reassure customers that, at this stage we are not aware of any access to any subsequent information pages within accounts, including travel histories or payment card details," BA continued.

"We are sorry for the concern and inconvenience this matter has caused and would like to reassure customers that we are taking this incident seriously and have taken a number of steps to lock down accounts so they can no longer be accessed."

Security expert Graham Cluely said the incident highlighted the need for users to ensure they use different passwords for different accounts.

"From the sound of things, the attackers managed to get hold of a database of usernames and passwords and then threw it at the British Airways Executive Club website to see if they would also unlock accounts there," he said in a blog post.

"As I've said many times before, you should never use the same password for multiple websites."

Many BA customers have taken to forums such as Flyer Talk, concerned that their Avios balance has dropped to zero. Those contacting the airline have been told that their account may have been "breached".

User BA038_Passenger said on 27 March after enquiring about the problem: "My account should be replenished with my missing avios within 24-48 hours after answering a couple of security questions and resetting my password. They told me that they suspected my account had been breached somehow.

"Same has just happened to me," user ENTP also said. "I called BAEC, answered a few security questions, and was told my Avios will be reinstated soon." (sic)

Cluely lambasted BA for using a link in its correspondence with users as it tried to reassure users and correct the issue. "If you have any concerns, my recommendation would be to contact BA's customer service team (who are probably quite busy right now) and change your British Airways Executive Club password," he said.

"But, please, don't use the link that the BA email includes in its warning message. They should never have included a clickable link when they invited you to reset your password, as that's a classic trick used by criminals phishing for login credentials."

Caroline Preece

Caroline has been writing about technology for more than a decade, switching between consumer smart home news and reviews and in-depth B2B industry coverage. In addition to her work for IT Pro and Cloud Pro, she has contributed to a number of titles including Expert Reviews, TechRadar, The Week and many more. She is currently the smart home editor across Future Publishing's homes titles.

You can get in touch with Caroline via email at caroline.preece@futurenet.com.