SITA [airline IT provider] data breach, some BAEC data compromised
#76
Join Date: Nov 2017
Programs: BA, Hilton
Posts: 2,091
... So, the hackers could use your name to go through various hacker databases and see if they have your password anywhere for any other website that might have been hacked over the years. Then, they will use that password and your membership ID to try to access your BA account.
That's why it's important to use unique passwords (as I'm sure you appreciate but others may not), and why the BA email asks people to use a password they've never used elsewhere.
#77
Join Date: Jun 2012
Programs: IHG Spire Ambassador, Club Carlson Gold, HHonors Gold, Best Western Diamond Select, BA Blue
Posts: 1,335
When I tried to use my email address to change my password, it did not recognise my email address.
#78
Join Date: Jun 2015
Location: LHR, LGW
Programs: BAEC
Posts: 3,440
#80
Join Date: Nov 2004
Location: ORD, LHR, FCO
Programs: BA Gold, etc. etc.
Posts: 1,402
BREAKING: At least 30,000 U.S. organizations have been newly hacked through an exploit in Microsoft Exchange server, Krebs reports. (via
@EamonJavers
)
@EamonJavers
)
#81
Join Date: Feb 2015
Programs: BA Gold, Avis President
Posts: 438
I have tried my membership number (which is what I normally use) and my email address. I don't know about having a user ID. My membership number was recognised, and I managed to change my password, It directed me to go to the login page, but I was unable to log in. I did not receive any verification code,
When I tried to use my email address to change my password, it did not recognise my email address.
When I tried to use my email address to change my password, it did not recognise my email address.
#82
Join Date: Nov 2017
Programs: BA
Posts: 105
I have tried my membership number (which is what I normally use) and my email address. I don't know about having a user ID. My membership number was recognised, and I managed to change my password, It directed me to go to the login page, but I was unable to log in. I did not receive any verification code,
When I tried to use my email address to change my password, it did not recognise my email address.
When I tried to use my email address to change my password, it did not recognise my email address.
This is an improvement on the response from the last hack where I heard from my credit card company that BA had been hacked, but it is not good that I can't access my account.
I actually want to make a booking but cant see when my other bookings are to avoid a conflict.
#84
Join Date: Nov 2017
Programs: BA, Hilton
Posts: 2,091
I'd guess most account fraud takes the form of 'selling' avios from hacked accounts to third parties.
#87
Original Poster
Join Date: Nov 2009
Location: AMS/LON
Programs: BAEC Silver, TK Gold, Eurostar CB, FB Explorer
Posts: 242
I'm the OP, I just wanted to be a helpful FT-er and thought the mail was interesting enough to share.
I have more avios than I can spend at the moment (who doesn't?) and assumed no fault on BA's side, but the system changes their mail requested/ demanded, and how their systems then dealt with those changes are.. not great.
#90
Join Date: Jun 2008
Location: BER
Programs: BAEC GGL/GfL, Lufthansa SEN, Hilton Diamond, misc other stuff
Posts: 1,374
For those that are wondering why only a specific subset of data appears to be affected, but why airlines want you to change your password anyway here's my theory using random airlines.
Imagine you are at BKK airport checking in for a Thai (TG) flight. You have luggage and a Swiss (LX) Miles&More card with Gold status. You want to use the Gold benefit.
How can TG check whether your LX status is current and they should grant you Star Gold benefits like free luggage?
There has to be an API and there has to be a provider for that. This COULD be SITA.
TG swipes the LX card and uses the name + airline frequent flyer number (e.g. El_Duderito, LX 2220 1234 5678 123) to dip into the SITA system to get an answer along the lines of 'does not exist', 'has Star Silver' or 'has Star Gold'. SITA has to store that information somewhere (e.g. get it pushed by all participating airlines or query through to the actual airline).
More importantly TG will most likely cache the data somewhere since they can expect to use it again while the pax is passing through the airport: during the check-in process to print status on the boarding pass, for fast track checks, for lounge access, .. lots of cases.
If this is the use case I believe the airline emails claiming that only this data was leaked. LH has absolutely no interest to provide fine-grained information beyond the absolute minimum. Why should they tell their competition that a customer is a LX HON, where he lives or what is CIV equivalent is?
The problem is that armed with a list of current names and frequent flyer numbers you can cause quite some damage. Brute force attacks on other systems and APIs are much more effective if you don't have to search the whole number range for the frequent flyer numbers but only focus on those that a) are known to be valid and b) have Gold status.
As an attacker what would I do? Try to find an API that provides you with all PNRs attached to a specific frequent flyer number/name combination.
Don't believe that they exist? They unfortunately do. I personally found, reported and had a major issue fixed last year. The bug fix included software updates/config changes on multiple websites and could not just be pushed by the software provider.
Don't believe these issues exist today? I won't name the airline, but even today you can look up reservations and check in using a name + frequent flyer combination.
If you cannot find one that looks up all reservations try to check in using a frequent flyer number on a website.
In a non-public document I've shown the full escalation from a random frequent flyer number all the way to getting personal information including known traveler numbers, visa information, addresses and all those lovely ticket remarks.
I can understand that airlines are nervous.
Btw: why does BA include information like status, tier points and Avios in your account in the notification email? Try resetting your password and check the header of that mail. Why does it tell you your status, tier points and Avios in the account?
Imagine you are at BKK airport checking in for a Thai (TG) flight. You have luggage and a Swiss (LX) Miles&More card with Gold status. You want to use the Gold benefit.
How can TG check whether your LX status is current and they should grant you Star Gold benefits like free luggage?
There has to be an API and there has to be a provider for that. This COULD be SITA.
TG swipes the LX card and uses the name + airline frequent flyer number (e.g. El_Duderito, LX 2220 1234 5678 123) to dip into the SITA system to get an answer along the lines of 'does not exist', 'has Star Silver' or 'has Star Gold'. SITA has to store that information somewhere (e.g. get it pushed by all participating airlines or query through to the actual airline).
More importantly TG will most likely cache the data somewhere since they can expect to use it again while the pax is passing through the airport: during the check-in process to print status on the boarding pass, for fast track checks, for lounge access, .. lots of cases.
If this is the use case I believe the airline emails claiming that only this data was leaked. LH has absolutely no interest to provide fine-grained information beyond the absolute minimum. Why should they tell their competition that a customer is a LX HON, where he lives or what is CIV equivalent is?
The problem is that armed with a list of current names and frequent flyer numbers you can cause quite some damage. Brute force attacks on other systems and APIs are much more effective if you don't have to search the whole number range for the frequent flyer numbers but only focus on those that a) are known to be valid and b) have Gold status.
As an attacker what would I do? Try to find an API that provides you with all PNRs attached to a specific frequent flyer number/name combination.
Don't believe that they exist? They unfortunately do. I personally found, reported and had a major issue fixed last year. The bug fix included software updates/config changes on multiple websites and could not just be pushed by the software provider.
Don't believe these issues exist today? I won't name the airline, but even today you can look up reservations and check in using a name + frequent flyer combination.
If you cannot find one that looks up all reservations try to check in using a frequent flyer number on a website.
In a non-public document I've shown the full escalation from a random frequent flyer number all the way to getting personal information including known traveler numbers, visa information, addresses and all those lovely ticket remarks.
I can understand that airlines are nervous.
Btw: why does BA include information like status, tier points and Avios in your account in the notification email? Try resetting your password and check the header of that mail. Why does it tell you your status, tier points and Avios in the account?