BAEC Account Hacked
#1
Original Poster
Join Date: Sep 2015
Location: YYZ (ex-LHR)
Programs: BA Silver, VS Red, OZ Silver
Posts: 446
BAEC Account Hacked
I had an email last night from BAEC informing me that I'd changed my email address, and had I not initiated this change, to contact them immediately. As the UK office was closed, I called the US phone number. 90 minutes later, I managed to freeze the account, and I'm currently awaiting a telephone call from the audit team today to discuss.
Whoever hacked the account also changed the account address, which meant I was unable to pass the security questions when I called BAEC, which caused what would've been a short telephone call into a 90-minute one. During that time, I have little doubt that they emptied the Avios balance.
No call from BA as of yet, but I wanted to know what to expect. Will everything be reinstated as it should be, or is it going to be more complicated? I have no idea how they got in, as I take my online security seriously. I'm guessing it was brute forced (come on BA...two-step authentication would be nice!). But obviously, my personal data would have also been compromised.
Should I worry about my separate Avios account, and my Lloyds credit card? Or is this situation much, much worse than that?
Whoever hacked the account also changed the account address, which meant I was unable to pass the security questions when I called BAEC, which caused what would've been a short telephone call into a 90-minute one. During that time, I have little doubt that they emptied the Avios balance.
No call from BA as of yet, but I wanted to know what to expect. Will everything be reinstated as it should be, or is it going to be more complicated? I have no idea how they got in, as I take my online security seriously. I'm guessing it was brute forced (come on BA...two-step authentication would be nice!). But obviously, my personal data would have also been compromised.
Should I worry about my separate Avios account, and my Lloyds credit card? Or is this situation much, much worse than that?
#2
Ambassador: Emirates Airlines
Join Date: Sep 2004
Location: Manchester, UK
Posts: 18,638
There have been a few reports of this over the last couple of years.
From what I can remember, it all gets sorted eventually, but make take a few weeks. You'll probably find that the account has been used to book hotels.
One thing that is common - don't bother trying to speed up the process... you'll get nowhere once the account is under audit. You'll just need to be patient.
From what I can remember, it all gets sorted eventually, but make take a few weeks. You'll probably find that the account has been used to book hotels.
One thing that is common - don't bother trying to speed up the process... you'll get nowhere once the account is under audit. You'll just need to be patient.
#3
Original Poster
Join Date: Sep 2015
Location: YYZ (ex-LHR)
Programs: BA Silver, VS Red, OZ Silver
Posts: 446
That's something at least. My BAEC account isn't as valuable as some on here, but it's still enough for a couple of nights in a hotel.
It just occurred to me that in addition to my name, postal address and date of birth, the hacker also has access to the data that I kept on file, such as my passport number. Oh joy. Better keep an eye out for identity fraud.
It just occurred to me that in addition to my name, postal address and date of birth, the hacker also has access to the data that I kept on file, such as my passport number. Oh joy. Better keep an eye out for identity fraud.
#4
Ambassador: Emirates Airlines
Join Date: Sep 2004
Location: Manchester, UK
Posts: 18,638
Can you actually see your passport number on the website? I'm pretty sure it's partially (if not fully) asterisked out.
#5
Ambassador, British Airways Executive Club, easyJet and Ryanair
Join Date: Sep 2011
Location: UK/Las Vegas
Programs: BA Gold (GGL/CCR)
Posts: 15,943
#7
Join Date: May 2012
Location: Londondinium
Programs: BAEC Sludge
Posts: 96
I went through this trauma this time last year and it took several months to sort out. BA really didn't want to talk to me either during that time, to say the least. Basically every time I tried to call them, they treated me like the villain and told me ever so politely to bugger off.
I gathered all my evidence, reported the fraud to Action Fraud and waited. Eventually everything was restored and I lost nothing (other than my confidence in BA IT).
Good luck!
I gathered all my evidence, reported the fraud to Action Fraud and waited. Eventually everything was restored and I lost nothing (other than my confidence in BA IT).
Good luck!
#8
Formerly known as linzbh
Join Date: Dec 2013
Location: LON
Programs: BAEC GGL, Hilton Diamond, Bonvoy Titanium
Posts: 459
make sure your passwords are all unique for all your accounts, email, ba, banking etc.
your security questions are random answers and not genuine.
use a offline password manager like 1password with a memorable master password that you share with no one and isn't used for any thing other than your password manager.
not an ad, just common sense for secure online presence.
your security questions are random answers and not genuine.
use a offline password manager like 1password with a memorable master password that you share with no one and isn't used for any thing other than your password manager.
not an ad, just common sense for secure online presence.
#9
Join Date: Jan 2002
Location: Sussex, UK
Programs: BA:Gold Amex:Green :IC Platinum Elite Amb
Posts: 660
Even phrases made from three letter words can be used to get past some attacks. You stand a chance of remembering LHR JFK LAS HNL SAN DUB but no brute force or rainbow table attack will get a 18 character password and will waste time on seaching a-z, 0-9 etc
A security professional I worked with carried a printed card with all his passwords on it - the trick was knowing where the password was!
e.g. http://www.passwordcard.org/en
A chain is only as strong as its weakest link. It's far safer to pick secure passwords and write them down, than it is to remember simple and easy to guess passwords.
Last edited by UKTony; Feb 9, 2016 at 2:56 pm Reason: To make more relevant to this forum
#10
Original Poster
Join Date: Sep 2015
Location: YYZ (ex-LHR)
Programs: BA Silver, VS Red, OZ Silver
Posts: 446
So this debacle is still going on, which doesn't surprise me after reading these replies. BA don't really want to talk to me, and all I've been told is the audit team will contact me "within a month."
One BAEC agent told me that I can still continue to input my FF number on bookings to accrue tier points and avios. I'm considering doing that, particularly because I'm annoyingly close to Silver and getting over that threshold is necessary for my future travel. However, that also seems a stupid idea because:
1) There's a chance they might not credit the TP and Avios, and I'd have no way of knowing whether they've done it
2) The booking will appear on my account, enabling whatever criminal who broke into my account to control it
3) It'll be difficult to manage the booking without having an Executive Club account to do so
Is this a good idea or not?
One BAEC agent told me that I can still continue to input my FF number on bookings to accrue tier points and avios. I'm considering doing that, particularly because I'm annoyingly close to Silver and getting over that threshold is necessary for my future travel. However, that also seems a stupid idea because:
1) There's a chance they might not credit the TP and Avios, and I'd have no way of knowing whether they've done it
2) The booking will appear on my account, enabling whatever criminal who broke into my account to control it
3) It'll be difficult to manage the booking without having an Executive Club account to do so
Is this a good idea or not?
#11
Moderator: British Airways Executive Club
Join Date: Nov 2010
Location: TPA/ABZ
Programs: BA Lifetime Gold. GGL/CCR.
Posts: 13,275
This sounds reasonable to me. Why not give them the time they've asked for? It sounds like they are taking it very seriously and need some time to check facts and get it straightened out. Remember, there are possibly two of you telling them they are the 'real' you and I'm not surprised it's a little complicated.
#12
Ambassador: Emirates Airlines
Join Date: Sep 2004
Location: Manchester, UK
Posts: 18,638
#13
Join Date: Jun 2006
Location: UK, Peak District near MAN
Programs: BA- blue, BD,DL
Posts: 2,027
So this debacle is still going on, which doesn't surprise me after reading these replies. BA don't really want to talk to me, and all I've been told is the audit team will contact me "within a month."
One BAEC agent told me that I can still continue to input my FF number on bookings to accrue tier points and avios. I'm considering doing that, particularly because I'm annoyingly close to Silver and getting over that threshold is necessary for my future travel. However, that also seems a stupid idea because:
1) There's a chance they might not credit the TP and Avios, and I'd have no way of knowing whether they've done it
2) The booking will appear on my account, enabling whatever criminal who broke into my account to control it
3) It'll be difficult to manage the booking without having an Executive Club account to do so
Is this a good idea or not?
One BAEC agent told me that I can still continue to input my FF number on bookings to accrue tier points and avios. I'm considering doing that, particularly because I'm annoyingly close to Silver and getting over that threshold is necessary for my future travel. However, that also seems a stupid idea because:
1) There's a chance they might not credit the TP and Avios, and I'd have no way of knowing whether they've done it
2) The booking will appear on my account, enabling whatever criminal who broke into my account to control it
3) It'll be difficult to manage the booking without having an Executive Club account to do so
Is this a good idea or not?
Then add your BAEC number at check in only, that way if anyone can access your executive club account they won't be able to alter your bookings before you fly.
#14
Original Poster
Join Date: Sep 2015
Location: YYZ (ex-LHR)
Programs: BA Silver, VS Red, OZ Silver
Posts: 446
This sounds reasonable to me. Why not give them the time they've asked for? It sounds like they are taking it very seriously and need some time to check facts and get it straightened out. Remember, there are possibly two of you telling them they are the 'real' you and I'm not surprised it's a little complicated.
I'll go for the check-in option.
#15
Moderator: British Airways Executive Club
Join Date: Nov 2010
Location: TPA/ABZ
Programs: BA Lifetime Gold. GGL/CCR.
Posts: 13,275