adamgilbride

Hi guys,

Just to report a very satisfactory outcome. BA took proactive action to lock my account, investigated and re-posted my Avios within 24 hours.

They also helpfully told me that 10 websites on which my email address had been registered had suffered data breaches, and that I can check the details on a website called haveibeenpwned.com. A lesson to never re-use passwords And to regularly change them I think!

Cheers,

Adam

SarahWest

I'm hoping that the wine transaction was halted and British Airways isn't losing out on this.

Here's a slightly awkward question @adamgilbride;

Had British Airways lost out financially, what would be the right way to deal with it? The Executive Club account wasn't breached because of a British Airways security failure but because you have used the same password and username on several different sites which is your security failure. Should you be compensating British Airways for their loss?

One thing I think British Airways should do is implement multifactor authentication so that those of us who wish to may use it to protect our accounts. I already protect my account with a unique email and a unique long random password but I still don't feel it's good enough.

wilsnunn

I completely agree with the multifactor authentication, if we are able to protect our accounts to much less valuable content, why should we not be able to protect our accounts when we have potentially thousands of pounds worth of Avios sitting in our accounts?

Misco60

Realistically, though, there is little chance of BA introducing such security, and it is our responsibility to protect our accounts with strong and unique passwords. There is really no excuse now for anyone not being aware of the dangers of using the same email address and password on multiple websites.

SarahWest

Why? It's not exactly complicated to implement these days. I've set it up on all servers with remote access that I manage - for web, SSH and mobile VPN user access. There are quite a few commercial MFA solutions available off the shelf and many allow self-enrolment. If Amazon, PayPal, Linkedin, Finnair and Qantas* can do it, why not BA?
I agree that nobody should be using the same password across multiple sites but I also feel that airlines and other sites should be providing a multifactor authentication option. It protects both the consumer and supplier.

* note that Qantas only supports SMS second factor authentication which is insecure and is no longer recommended by NIST. I've included Qantas because they've made some effort to improve security, even if it's not up to current standards. BA has made zero effort.

Forever in Seattle

That was the case with me about 5 years ago.

Misco60

You've answered your own question. Not complicated, but BA can't be bothered.

LifeontheBeach

It wasn't his fault that hackers stole his password/details from other sites, if that's the case. He's the victim here. I completely disagree with blaming the victim.

LifeontheBeach

It always helps not to use the same email address for all sites that a person needs to access. I'm just curious if you used a shared computer before this breach?

CharterGuy

Happened to me some time ago - fraudulent hotel booking. Did get the Avios back, but did take some time (ie months).

M_at

If it's of any help to anyone I find it really helpful to use https://1password.com/ and have a different password for every account bar a few throw away ones. For certain sites I have bespoke email addresses that I only ever use with that supplier.

golfmad

I’m with you on that. It’s a great product. I also maintain my own personal domain and can use any email address in front of the domain and everything comes into my inbox so I can choose different email addresses for any site if I want to. This also makes it really easy to mark stuff as junk based on the incoming email address.

wilsnunn

And another plus one from me with 1Password.

I do the exact same!

SarahWest

Whatever your own opinion may be, the standard professional advice for a very long time has been not to use the same password on different sites, yet that is what the OP did. Ignore that advice at your peril, it's there for a reason. That advice has been on BA's site explicitly (https://www.britishairways.com/en-gb...bsite-security) since 2016, if not before.

No, it certainly wasn't the OP's fault that the password he used on a particular site was compromised but it absolutely was down to him that he used the same password across multiple sites. That's what ultimately allowed someone to access his BAEC account and use his Avios. If you are certain that's not his responsibility, please say whose it is. I'll give you a hint; it's not BA's.

Do you also, by any chance, use the same password across multiple sites and expect someone else to pick up the pieces when your password gets compromised? Inquiring minds want to know.

SarahWest

...and from me. I use 1Password to generate long passwords and save them for each site I register with.