Go Back  FlyerTalk Forums > Miles&Points > Airlines and Mileage Programs > British Airways | Executive Club
Reload this Page >

SITA [airline IT provider] data breach, some BAEC data compromised

SITA [airline IT provider] data breach, some BAEC data compromised

Old Mar 5, 2021, 12:53 pm
  #61  
 
Join Date: Nov 2017
Programs: BA, Hilton
Posts: 2,084
Originally Posted by rumbataz
What is this verification step?
A code sent to your registered phone or email address (you can select which) which you will be asked to enter.

My process was use "forgot password" link, enter a new one and use that to log in and told I need to verify.

Get sent verification code, enter that along with second new password (using just created first new password as current, having also guessed which characters they don't like in a password).

Seamless it was not....

Last edited by BertieBadger; Mar 5, 2021 at 12:59 pm
BertieBadger is offline  
Old Mar 5, 2021, 12:55 pm
  #62  
 
Join Date: Nov 2018
Location: BER
Programs: BA GGL, Hilton Diamond
Posts: 1,842
login fails because "Die von Ihnen angegebene Mitgliedsnummer ist bei uns nicht registriert. Bitte korrigieren Sie Ihre Angaben entsprechend." - something like "the exec number you have entered is not registered. Please correct your entry."

edit: its
  • We are not able to recognise the membership number that you have supplied. Please check and re-enter.

Last edited by Nephoi; Mar 5, 2021 at 1:01 pm
Nephoi is offline  
Old Mar 5, 2021, 1:00 pm
  #63  
 
Join Date: Jun 2012
Programs: IHG Spire Ambassador, Club Carlson Gold, HHonors Gold, Best Western Diamond Select, BA Blue
Posts: 1,335
Originally Posted by BertieBadger
A code sent to your registered phone or email address (you can select which) which you will be asked to enter.

My process was use "forgot password" link, enter a new one and use that to log in and told I need to verify.

Get sent verification code, enter that along with second new password (using just created first new password as current, having also guessed which characters they don't like in a password).

Seamless it was not....
Do you know how long it takes to get the code? I tried to change my password 5 or 6 times over the last hour and I have not had a code to my email address or phone.
rumbataz is offline  
Old Mar 5, 2021, 1:04 pm
  #64  
Community Director
 
Join Date: Jan 2009
Location: Norwich, UK
Programs: A3*G, BA Gold, BD Gold (in memoriam), IHG Diamond Ambassador
Posts: 8,448
Noting the possible compromise of seating preferences, is it too much to hope that the hackers might make a better job of it than BA’s IT usually manages with mine?

(No e-mail for me yet, which suggests they’re batching and that the password/access problem might persist for a while as each tranche of notifications gets released.)
bafan, T8191, greg5 and 2 others like this.
NWIFlyer is offline  
Old Mar 5, 2021, 1:05 pm
  #65  
 
Join Date: Nov 2017
Programs: BA, Hilton
Posts: 2,084
Originally Posted by rumbataz
Do you know how long it takes to get the code? I tried to change my password 5 or 6 times over the last hour and I have not had a code to my email address or phone.
Mine was effectively instant.

​​​​​​It appears to be something of a mess at the moment tbh, it was only after I logged in with my new password that I was able to select how to receive the verification code which you have to explicitly action (i.e. press 'Send') , if you aren't reaching that step not sure what to suggest.

I logged in with email address rather than membership number, that seems to be more likely to succeed based on comments.
BertieBadger is offline  
Old Mar 5, 2021, 1:15 pm
  #66  
 
Join Date: Jun 2017
Location: SEA
Programs: BA GGL, Hyatt Globalist, HH Diamond, Marriott Gold
Posts: 185

We take the protection of your data very seriously.
UrbanLegend is offline  
Old Mar 5, 2021, 1:20 pm
  #67  
 
Join Date: Dec 2010
Location: UK
Programs: BAEC
Posts: 164
Why "Dear Customer" and not by my name as in every other email?

Why reset BA password if SITA didn't store BA password in the first place?
bafan likes this.
varkey is offline  
Old Mar 5, 2021, 1:24 pm
  #68  
 
Join Date: May 2008
Location: Berkshire
Programs: BA Lifetime Gold, GGL/CCR, Hilton Diamond, Accor Plat, Pucci Fan Club
Posts: 1,778
Check your spam folder if you havent had the email. Mine was in there.

Changed password. Still wouldnt log me in. Wont accept my BAEC number.

Used my email address and new password. That then took me to the verification stage. Verification PIN number received immediately by email.

Then prompted to change password again. So used new password and then changed back to old password (very complicated PW only used on BA). That worked surprisingly (will probably change it again to be safe).

Still cant logon using my BAEC number ... they (BA) seem to have stopped this option I think as it just says the BAEC number isnt recognised. Assume BA are worried about the membership numbers being compromised.

Anyway logged in now using email address and new (old) password. What a monumental mess.
Geordie405 likes this.
oxtailsoup is offline  
Old Mar 5, 2021, 1:29 pm
  #69  
 
Join Date: Nov 2017
Programs: BA, Hilton
Posts: 2,084
Originally Posted by varkey
Why reset BA password if SITA didn't store BA password in the first place?
Because of fear over poor password practices.

As I understand it, they've got hold of the email addresses used by people's BA accounts.

​​​​​Now, many people practice poor password hygiene, that is they will register with every site as e.g.

[email protected] / Password123

or whatever. Now there is no leak of the BA password here, but if miscreants can match up that email address that they do have to a password from *another* leak (e.g. from a site that may not even know it has been compromised) then together they have access to the BA account.

Yes, it's a pain for people who do manage passwords correctly, but they seem to have opted to inconvenience them to avoid problems with people who follow the poorer practices above
DiamondMile likes this.
BertieBadger is offline  
Old Mar 5, 2021, 1:31 pm
  #70  
 
Join Date: May 2014
Posts: 7,168
Originally Posted by varkey
Why "Dear Customer" and not by my name as in every other email?

Why reset BA password if SITA didn't store BA password in the first place?
SITA provides the backbone to a lot of airline systems. Most of baggage messaging, for instance, uses SITA infrastructure; a lot of the CUTE sets in airports worldwide, where airlines share hardware, run on SITA. And there's more stuff. They even have a large part to play in biometric passport scanners. If BA and other airlines were rail franchises, SITA would be a bit like Network Rail; it's better to be safe and suggest a password reset than being sorry.
antichef likes this.
13901 is offline  
Old Mar 5, 2021, 1:35 pm
  #71  
:D!
Hilton Contributor BadgeIHG Contributor Badge
 
Join Date: Sep 2012
Location: NW London and NW Sydney
Programs: BA Diamond, Hilton Bronze, A3 Diamond, IHG *G
Posts: 6,321
Right, I changed my password 3 times unsuccessfully, then thought of coming here. Using email address worked but can only log in with email address.

I manage all 7 accounts in my household. With the second account I went to "forgotten password" and entered the email as the Login ID, and after changing the password once I was immediately logged in, no double verification.

Now to do the next 5 accounts...
:D! is offline  
Old Mar 5, 2021, 2:06 pm
  #72  
 
Join Date: Aug 2009
Posts: 645
Managed to log in using email address rather than membership number after changing password twice. Presented with the two factor authorisation page, chose the email option as there wasnt a phone option offered and got an error saying the system was down and couldnt generate a code. Great work BA.
polochick is offline  
Old Mar 5, 2021, 2:10 pm
  #73  
 
Join Date: Mar 2020
Programs: British Airways GGL/CCR, Hilton Diamond & Marriott Gold
Posts: 2,606
This is simple risk mitigation. If you force everyone to reset your password, then in theory this eliminates any risk for BA. the SITA hack may evolve over time as they know more. By forcing a new password, they are forcing the protection that this bring upon you. They can then point to this as a measure if anything were to happen.
Geordie405 likes this.
PGberkshire is offline  
Old Mar 5, 2021, 2:40 pm
  #74  
 
Join Date: Aug 2006
Location: Switzerland
Posts: 1,568
Originally Posted by bafan
Im as infuriated as everyone else. If the company didnt have my password, why is BA making me change it ? This makes no sense whatsoever. Total and unnecessary hassle alround...
Just received the email and think I know why. It would also tie in to the issues some people here (and the parallel thread here about accounts being locked) are having trying to log in.

The data theft is a list of valid membership numbers and associated full name. Although I use a userid/password to log in, it appears many use their membership number. So, the hackers could use your name to go through various hacker databases and see if they have your password anywhere for any other website that might have been hacked over the years. Then, they will use that password and your membership ID to try to access your BA account.

Due to this, BA have asked you to change your password. In my opinion, I'd only bother doing this if you have used your current BA password anywhere else. As my BA password is unique, I've simply deleted the email and plan to do nothing. This has the added advantage in that it's easy

It also seems that BA have locked accounts that use a membership number to log in, so you'll need to use your user-id. I don't know what happens if you have never created a user-id, maybe it's your email address?
adrianlondon is offline  
Old Mar 5, 2021, 2:43 pm
  #75  
 
Join Date: Sep 2010
Location: Las Vegas
Programs: BA Gold; Hilton Honors Diamond
Posts: 3,216
I know others are moaning about having to change their passwords but I know that I haven't changed my BAEC password in a very long time. From a security best practice point of view it's probably time I did, and if it encourages / compels others to do the same then it's not a bad thing.
slicktony likes this.
Geordie405 is offline  

Thread Tools
Search this Thread

Contact Us - Manage Preferences - Archive - Advertising - Cookie Policy - Privacy Statement - Terms of Service -

This site is owned, operated, and maintained by MH Sub I, LLC dba Internet Brands. Copyright © 2024 MH Sub I, LLC dba Internet Brands. All rights reserved. Designated trademarks are the property of their respective owners.