Go Back  FlyerTalk Forums > Miles&Points > Airlines and Mileage Programs > British Airways | Executive Club
Reload this Page >

SITA [airline IT provider] data breach, some BAEC data compromised

SITA [airline IT provider] data breach, some BAEC data compromised

Old Mar 5, 21, 10:33 am
  #1  
Original Poster
 
Join Date: Nov 2009
Location: AMS/LON
Programs: BAEC Gold, TK Gold, Eurostar CB, FB Silver
Posts: 174
SITA [airline IT provider] data breach, some BAEC data compromised

Just received this.

Not a good time for a new breach, even if this doesn't look like BA's fault
________________________________________
From: British Airways Executive Club <[email protected]>
Sent: 05 March 2021 18:21
To: HappyintheAir
Subject: Important message from British Airways

Dear Customer,

We take the protection of your data very seriously.

We have been notified of a data breach at global technology company SITA, an IT services provider to many airlines around the world. SITA is not British Airways’ booking and reservations system provider and SITA’s breach does not involve our customers’ financial information or password as SITA does not have access to this data. Please be reassured that this incident was not a breach of British Airways' systems.

Along with many other airlines, we do share limited information with partner airlines in order to enhance your experience when flying with them. We have been notified by SITA that some British Airways Executive Club Members’ names, membership numbers and some of their preferences, such as seating, has been impacted.

The password you use for your account is not held by SITA and has not been put at risk by this breach.

As a precaution, given the potential that customers have re-used passwords used for other websites, we are taking the following action to protect you:

* Please log into your account and reset your password
* Please create a new password that you have not used elsewhere
* Once your password has been reset and you have completed a verification step, you will be able to regain full access to your account

We know fraudsters try to use situations like this to their advantage. We will not contact you by phone and ask for your password - please do not reveal your password to anyone claiming to be from British Airways. If you need to contact us, you can do so via our contact centres.

We are sorry for the inconvenience caused and thank you for your continued support and cooperation in helping us to keep your information safe and secure.

British Airways
MatJarosz likes this.
happyintheair is offline  
Old Mar 5, 21, 10:40 am
  #2  
 
Join Date: Aug 2014
Location: Bucks UK
Programs: BA Silver
Posts: 50
Great !

Just tried to change my password, but I cant access my account anymore.
geo1005 and andymcdonnell like this.
Jordi14 is offline  
Old Mar 5, 21, 10:43 am
  #3  
 
Join Date: Jul 2016
Posts: 80
Originally Posted by Jordi14 View Post
Great !

Just tried to change my password, but I cant access my account anymore.
Same! I successfully changed mine, but now I can’t log into my account with the old or the new password.
becks1 is offline  
Old Mar 5, 21, 10:45 am
  #4  
 
Join Date: Aug 2020
Location: Newquay
Programs: BA Silver, TAP Gold, Hilton Diamond
Posts: 54
Got the same email, I'm trying to log in to BA.com to change my password, but it took me to a different login page and now it's coming back with an error: We are not able to recognise the membership number that you have supplied. Please check and re-enter.

Anyone else experiencing the same error? I'll try to click on "Forgotten PIN/Password" and see what happens

Edit: Looking at the replies above, it's not just me. Throught my account was genuinely hacked...
Edit 2: Requesting a password reset has done the job. This was followed by a text message code verification (which should be made permanent imho) and another password reset. Either way, I'm in.
SxMan likes this.

Last edited by MatJarosz; Mar 5, 21 at 10:58 am
MatJarosz is offline  
Old Mar 5, 21, 10:49 am
  #5  
 
Join Date: Jul 2005
Location: London, ARN, HEL, ..... or MAN
Programs: BA GFL, GGL, CCR, Mucci Diamond!, HH Diamond, Radisson Gold, Hertz Gold 5*
Posts: 4,846
Interesting. I got the same message from Lufthansa earlier today, although SITA wasn't directly named. Seems many airlines will be in a similar situation.

I can't log into ba.com either.
KeaneJohn and SxMan like this.
ThatT1Feeling is offline  
Old Mar 5, 21, 10:51 am
  #6  
 
Join Date: Mar 2019
Location: London
Programs: BAEC 1991
Posts: 45
I have had the same email and could not then login into my account using the old details. I hit the forgotten password link and that did the trick. I had a subsequent authentication process using SMS/email to go through which involved a second change to the password.
Blackheathflyer is offline  
Old Mar 5, 21, 10:52 am
  #7  
 
Join Date: Nov 2018
Posts: 1,291
got the mail, changed the passwort. can login.
Nephoi is offline  
Old Mar 5, 21, 10:56 am
  #8  
 
Join Date: Nov 2018
Posts: 1,291
wonderful...

"We will not contact you by phone and ask for your password - please do not reveal your password to anyone claiming to be from British Airways. If you need to contact us, you can do so via our contact centres."

i got a text with the verification. thats a contact by phone.
SxMan likes this.
Nephoi is offline  
Old Mar 5, 21, 10:57 am
  #9  
 
Join Date: Feb 2003
Location: Alexandria, VA - DCA
Programs: BA Silver, American Airlines, Marriott Gold LT, Hilton Diamond, IHG Plat
Posts: 4,998
Originally Posted by Jordi14 View Post
Great !

Just tried to change my password, but I cant access my account anymore.
My experience as well! That. Is. Pathetic.
Nephoi likes this.
geo1005 is offline  
Old Mar 5, 21, 11:00 am
  #10  
 
Join Date: Nov 2013
Location: South Glos, UK
Programs: BAEC, Hilton Honors, Marriott Rewards
Posts: 792
Originally Posted by Jordi14 View Post
Great !

Just tried to change my password, but I cant access my account anymore.
Same here.
wb1969 is offline  
Old Mar 5, 21, 11:00 am
  #11  
 
Join Date: Nov 2018
Posts: 1,291
Originally Posted by geo1005 View Post
My experience as well! That. Is. Pathetic.
on every contact with BA on the phone when something isnt working im just saying "you struggle with BA's IT? thats funny. me too. thats why i have to call you"
Nephoi is offline  
Old Mar 5, 21, 11:02 am
  #12  
Moderator, Air Canada; FlyerTalk Evangelist
 
Join Date: Feb 2015
Location: YYC
Programs: AC SE100K, WS Gold, BA Silver, Marriott Titanium, Accor/Hilton/Radisson/NH Gold
Posts: 11,275
Reset BA passwords because SITA was hacked, even though SITA doesn't have any BA password info? Puh-lease. So (based on what I read in another thread) AI's FFP info was hacked at SITA and maybe some people re-used their AI FFP passwords for BA? People re-use passwords across dozens or hundreds of websites. Is BA going to make us reset our passwords every time some other website gets hacked?
bafan, Thomathy, :D! and 2 others like this.
Adam Smith is offline  
Old Mar 5, 21, 11:03 am
  #13  
 
Join Date: Mar 2017
Location: Lincolnshire, UK
Programs: BA GGL - maybe only briefly!
Posts: 758
Are we assuming that the email is genuine?

One of us, who uses BA rarely, got an odd POUG email earlier today and then this. And would it normally say "Dear Customer'?
vintagepilot is offline  
Old Mar 5, 21, 11:03 am
  #14  
 
Join Date: Nov 2008
Location: Varies
Programs: BA Silver, HHonors, SPG, Marriott, A|Club, Tesco CC, Costa Coffee Club
Posts: 405
Originally Posted by Blackheathflyer View Post
I have had the same email and could not then login into my account using the old details. I hit the forgotten password link and that did the trick. I had a subsequent authentication process using SMS/email to go through which involved a second change to the password.
Yes, that’s exactly it. TWO password changes are required. It gets confusing when you do the second password change, as you are uncertain if “existing” password is the “original” password, or the new one you specified a few minutes earlier (it is!).

Not well handled.
SxMan likes this.
larryflyer is offline  
Old Mar 5, 21, 11:03 am
  #15  
 
Join Date: Jul 2011
Location: UK / CH
Programs: BA
Posts: 97
Thumbs down

Originally Posted by Jordi14 View Post
Just tried to change my password, but I cant access my account anymore.
Likewise. I am not a BA-basher but the IT really is so poorly-done. For a start, I don't understand why I have been sent this email and required to change my password, if, as they say, no password data has been leaked (presumably when they say 'data' they mean hashes or something, I can't imagine they would store actual passwords?) The email says it is because I 'may' use the same password on multiple sites. Well, I don't, and I don't really appreciate BA locking out the account every few months on the grounds that they think I might. I'd consider my banking details to be quite an important item from a security point of view, and yet they don't email me periodically to say they have lost yet more data, or to make baseless accusations of password re-use.

Having received the email and then gone to ba.com (not by the link in the email, just as a common-sense measure), I sign in with existing credentials (entering my email address at the prompt that says 'email or username') and reach a page titled '2-Factor Authentication'. "Great!" I think. "Finally BA are adding 2FA to the account, about time too." Turns out, this isn't a page about having 2-factor on the account at all. It is merely a one-time SMS code that they send, in order to change the password.

Disappointing, but no matter. I am next told to change my password to a new secure value, the message saying that I can use numbers, upper and lower case letters, and special characters. I insert a 12-character string of randomised characters which happens to include a % sign. At which point the BA site tells me that my selected password is invalid because of the % sign.

I then insert a new random string, not including any special characters at all, and the site accepts this and tells me to log in to 'confirm' the details. I log in with the new details at which point I receive a message saying "We are unable to recognise your membership number."

No matter, press 'reset password' at which point a prompt appears which inexplicably asks for something called 'Login ID' instead of the usual 'Email or username' that BA ask for. I check through and haven't seen anything before called 'Login ID' so I try the BAEC membership number. This works and I receive a password reset link.

I go through the password reset process. The password change is accepted but I cannot log in, always receiving the same message that the 'Membership number, password or PIN is not recognised.'

On calling BA this is because my account is locked and the rep explains that it is probably because I have tried to change my password. The process for unlocking it is that he sends an email to a department and then after a few days it is unlocked.

It's just so poorly done. And such a puzzle, as there are so many bits of the IT that do really work pretty well, given what they have to glue together. But why this endless issue with credentials for the BAEC accounts? I don't wish to be obliged to change that password on each occasion that an unrelated company may have a breach, on the grounds that I 'may' use the same password elsewhere. I don't. I can't prove this to BA of course, but if they'd just enforce two factor authentication (which works perfectly well for example for my bank, or for my car key app), there wouldn't be the same circular issue all the time as they'd have less worry about customers who do practice poor password hygiene.
Thomathy is offline  

Thread Tools
Search this Thread
Search Engine: