Skatering

I had an email last night from BAEC informing me that I'd changed my email address, and had I not initiated this change, to contact them immediately. As the UK office was closed, I called the US phone number. 90 minutes later, I managed to freeze the account, and I'm currently awaiting a telephone call from the audit team today to discuss.

Whoever hacked the account also changed the account address, which meant I was unable to pass the security questions when I called BAEC, which caused what would've been a short telephone call into a 90-minute one. During that time, I have little doubt that they emptied the Avios balance.

No call from BA as of yet, but I wanted to know what to expect. Will everything be reinstated as it should be, or is it going to be more complicated? I have no idea how they got in, as I take my online security seriously. I'm guessing it was brute forced (come on BA...two-step authentication would be nice!). But obviously, my personal data would have also been compromised.

Should I worry about my separate Avios account, and my Lloyds credit card? Or is this situation much, much worse than that?

DYKWIA

There have been a few reports of this over the last couple of years.

From what I can remember, it all gets sorted eventually, but make take a few weeks. You'll probably find that the account has been used to book hotels.

One thing that is common - don't bother trying to speed up the process... you'll get nowhere once the account is under audit. You'll just need to be patient.

Skatering

That's something at least. My BAEC account isn't as valuable as some on here, but it's still enough for a couple of nights in a hotel.

It just occurred to me that in addition to my name, postal address and date of birth, the hacker also has access to the data that I kept on file, such as my passport number. Oh joy. Better keep an eye out for identity fraud.

DYKWIA

Can you actually see your passport number on the website? I'm pretty sure it's partially (if not fully) asterisked out.

Tobias-UK

IIRC, if you wish to access the passport data area of MMA you actually need to enter the passport number to get in to that section of the website.

BA6501

Or date of birth. Which you can get from My Profile.

My Profile info, combined with your list of bookings, can also enable them to change/cancel any of your bookings...

f4monty

I went through this trauma this time last year and it took several months to sort out. BA really didn't want to talk to me either during that time, to say the least. Basically every time I tried to call them, they treated me like the villain and told me ever so politely to bugger off.

I gathered all my evidence, reported the fraud to Action Fraud and waited. Eventually everything was restored and I lost nothing (other than my confidence in BA IT).

Good luck!

flylikelinz

make sure your passwords are all unique for all your accounts, email, ba, banking etc.
your security questions are random answers and not genuine.
use a offline password manager like 1password with a memorable master password that you share with no one and isn't used for any thing other than your password manager.

not an ad, just common sense for secure online presence.

UKTony

Random password, length > 9 are now essential and there is a strong argument for only allowing system generated ones as people are really predictable.

Even phrases made from three letter words can be used to get past some attacks. You stand a chance of remembering LHR JFK LAS HNL SAN DUB but no brute force or rainbow table attack will get a 18 character password and will waste time on seaching a-z, 0-9 etc

A security professional I worked with carried a printed card with all his passwords on it - the trick was knowing where the password was!

e.g. http://www.passwordcard.org/en

A chain is only as strong as its weakest link. It's far safer to pick secure passwords and write them down, than it is to remember simple and easy to guess passwords.

Skatering

So this debacle is still going on, which doesn't surprise me after reading these replies. BA don't really want to talk to me, and all I've been told is the audit team will contact me "within a month."

One BAEC agent told me that I can still continue to input my FF number on bookings to accrue tier points and avios. I'm considering doing that, particularly because I'm annoyingly close to Silver and getting over that threshold is necessary for my future travel. However, that also seems a stupid idea because:

1) There's a chance they might not credit the TP and Avios, and I'd have no way of knowing whether they've done it
2) The booking will appear on my account, enabling whatever criminal who broke into my account to control it
3) It'll be difficult to manage the booking without having an Executive Club account to do so

Is this a good idea or not?

golfmad

This sounds reasonable to me. Why not give them the time they've asked for? It sounds like they are taking it very seriously and need some time to check facts and get it straightened out. Remember, there are possibly two of you telling them they are the 'real' you and I'm not surprised it's a little complicated.

DYKWIA

As I said...

highpeaklad

If you're worried just use manage my booking to deal with details of your trip, you don't need an account for that.
Then add your BAEC number at check in only, that way if anyone can access your executive club account they won't be able to alter your bookings before you fly.

Skatering

I'd agree if it wasn't for the fact I've heard nothing from them. They haven't contacted me to ask for information which they're in the process of verifying. I guess I view FF accounts as a type of financial product, and if a credit card is compromised, another card turns up a few days later and everything is fixed.

I'll go for the check-in option.

golfmad

They said they would contact you within a month.

It's within that month and you've not heard anything from them.

Those two statements are not contradictory.