SITA [airline IT provider] data breach, some BAEC data compromised
#1
Original Poster
Join Date: Nov 2009
Location: AMS/LON
Programs: BAEC Silver, TK Gold, Eurostar CB, FB Explorer
Posts: 242
SITA [airline IT provider] data breach, some BAEC data compromised
Just received this.
Not a good time for a new breach, even if this doesn't look like BA's fault
________________________________________
From: British Airways Executive Club <[email protected]>
Sent: 05 March 2021 18:21
To: HappyintheAir
Subject: Important message from British Airways
Dear Customer,
We take the protection of your data very seriously.
We have been notified of a data breach at global technology company SITA, an IT services provider to many airlines around the world. SITA is not British Airways’ booking and reservations system provider and SITA’s breach does not involve our customers’ financial information or password as SITA does not have access to this data. Please be reassured that this incident was not a breach of British Airways' systems.
Along with many other airlines, we do share limited information with partner airlines in order to enhance your experience when flying with them. We have been notified by SITA that some British Airways Executive Club Members’ names, membership numbers and some of their preferences, such as seating, has been impacted.
The password you use for your account is not held by SITA and has not been put at risk by this breach.
As a precaution, given the potential that customers have re-used passwords used for other websites, we are taking the following action to protect you:
* Please log into your account and reset your password
* Please create a new password that you have not used elsewhere
* Once your password has been reset and you have completed a verification step, you will be able to regain full access to your account
We know fraudsters try to use situations like this to their advantage. We will not contact you by phone and ask for your password - please do not reveal your password to anyone claiming to be from British Airways. If you need to contact us, you can do so via our contact centres.
We are sorry for the inconvenience caused and thank you for your continued support and cooperation in helping us to keep your information safe and secure.
British Airways
Not a good time for a new breach, even if this doesn't look like BA's fault
________________________________________
From: British Airways Executive Club <[email protected]>
Sent: 05 March 2021 18:21
To: HappyintheAir
Subject: Important message from British Airways
Dear Customer,
We take the protection of your data very seriously.
We have been notified of a data breach at global technology company SITA, an IT services provider to many airlines around the world. SITA is not British Airways’ booking and reservations system provider and SITA’s breach does not involve our customers’ financial information or password as SITA does not have access to this data. Please be reassured that this incident was not a breach of British Airways' systems.
Along with many other airlines, we do share limited information with partner airlines in order to enhance your experience when flying with them. We have been notified by SITA that some British Airways Executive Club Members’ names, membership numbers and some of their preferences, such as seating, has been impacted.
The password you use for your account is not held by SITA and has not been put at risk by this breach.
As a precaution, given the potential that customers have re-used passwords used for other websites, we are taking the following action to protect you:
* Please log into your account and reset your password
* Please create a new password that you have not used elsewhere
* Once your password has been reset and you have completed a verification step, you will be able to regain full access to your account
We know fraudsters try to use situations like this to their advantage. We will not contact you by phone and ask for your password - please do not reveal your password to anyone claiming to be from British Airways. If you need to contact us, you can do so via our contact centres.
We are sorry for the inconvenience caused and thank you for your continued support and cooperation in helping us to keep your information safe and secure.
British Airways
#4
Join Date: Aug 2020
Location: Newquay
Programs: BA Silver, TAP Gold, Hilton Diamond
Posts: 99
Got the same email, I'm trying to log in to BA.com to change my password, but it took me to a different login page and now it's coming back with an error: We are not able to recognise the membership number that you have supplied. Please check and re-enter.
Anyone else experiencing the same error? I'll try to click on "Forgotten PIN/Password" and see what happens
Edit: Looking at the replies above, it's not just me. Throught my account was genuinely hacked...
Edit 2: Requesting a password reset has done the job. This was followed by a text message code verification (which should be made permanent imho) and another password reset. Either way, I'm in.
Anyone else experiencing the same error? I'll try to click on "Forgotten PIN/Password" and see what happens
Edit: Looking at the replies above, it's not just me. Throught my account was genuinely hacked...
Edit 2: Requesting a password reset has done the job. This was followed by a text message code verification (which should be made permanent imho) and another password reset. Either way, I'm in.
Last edited by MatJarosz; Mar 5, 2021 at 10:58 am
#5
Join Date: Jul 2005
Location: London, ARN, HEL, ..... or MAN
Programs: BA GGL / GFL, Mucci Diamond!, HH Diamond, Radisson Premium, IHG Gold, Hertz Gold
Posts: 5,902
Interesting. I got the same message from Lufthansa earlier today, although SITA wasn't directly named. Seems many airlines will be in a similar situation.
I can't log into ba.com either.
I can't log into ba.com either.
#6
Join Date: Mar 2019
Location: London
Programs: BAEC 1991
Posts: 45
I have had the same email and could not then login into my account using the old details. I hit the forgotten password link and that did the trick. I had a subsequent authentication process using SMS/email to go through which involved a second change to the password.
#8
Join Date: Nov 2018
Location: BER
Programs: BA GGL, Hilton Diamond
Posts: 1,843
wonderful...
"We will not contact you by phone and ask for your password - please do not reveal your password to anyone claiming to be from British Airways. If you need to contact us, you can do so via our contact centres."
i got a text with the verification. thats a contact by phone.
"We will not contact you by phone and ask for your password - please do not reveal your password to anyone claiming to be from British Airways. If you need to contact us, you can do so via our contact centres."
i got a text with the verification. thats a contact by phone.
#9
Join Date: Feb 2003
Location: Alexandria, VA - DCA
Programs: BA Gold, American Airlines, Marriott Plat, Hilton Diamond, IHG Diamond
Posts: 5,075
#11
Join Date: Nov 2018
Location: BER
Programs: BA GGL, Hilton Diamond
Posts: 1,843
#12
Moderator, Air Canada; FlyerTalk Evangelist
Join Date: Feb 2015
Location: YYC
Programs: AC SE MM, FB Plat, WS Plat, BA Silver, DL GM, Marriott Plat, Hilton Gold, Accor Silver
Posts: 16,775
Reset BA passwords because SITA was hacked, even though SITA doesn't have any BA password info? Puh-lease. So (based on what I read in another thread) AI's FFP info was hacked at SITA and maybe some people re-used their AI FFP passwords for BA? People re-use passwords across dozens or hundreds of websites. Is BA going to make us reset our passwords every time some other website gets hacked?
#14
Join Date: Nov 2008
Location: Varies
Programs: BA Silver, HHonors, SPG, Marriott, A|Club, Tesco CC, Costa Coffee Club
Posts: 421
I have had the same email and could not then login into my account using the old details. I hit the forgotten password link and that did the trick. I had a subsequent authentication process using SMS/email to go through which involved a second change to the password.
Not well handled.
#15
Join Date: Jul 2011
Location: LCY / LHR / ZRH / JNB
Programs: BA
Posts: 120
Having received the email and then gone to ba.com (not by the link in the email, just as a common-sense measure), I sign in with existing credentials (entering my email address at the prompt that says 'email or username') and reach a page titled '2-Factor Authentication'. "Great!" I think. "Finally BA are adding 2FA to the account, about time too." Turns out, this isn't a page about having 2-factor on the account at all. It is merely a one-time SMS code that they send, in order to change the password.
Disappointing, but no matter. I am next told to change my password to a new secure value, the message saying that I can use numbers, upper and lower case letters, and special characters. I insert a 12-character string of randomised characters which happens to include a % sign. At which point the BA site tells me that my selected password is invalid because of the % sign.
I then insert a new random string, not including any special characters at all, and the site accepts this and tells me to log in to 'confirm' the details. I log in with the new details at which point I receive a message saying "We are unable to recognise your membership number."
No matter, press 'reset password' at which point a prompt appears which inexplicably asks for something called 'Login ID' instead of the usual 'Email or username' that BA ask for. I check through and haven't seen anything before called 'Login ID' so I try the BAEC membership number. This works and I receive a password reset link.
I go through the password reset process. The password change is accepted but I cannot log in, always receiving the same message that the 'Membership number, password or PIN is not recognised.'
On calling BA this is because my account is locked and the rep explains that it is probably because I have tried to change my password. The process for unlocking it is that he sends an email to a department and then after a few days it is unlocked.
It's just so poorly done. And such a puzzle, as there are so many bits of the IT that do really work pretty well, given what they have to glue together. But why this endless issue with credentials for the BAEC accounts? I don't wish to be obliged to change that password on each occasion that an unrelated company may have a breach, on the grounds that I 'may' use the same password elsewhere. I don't. I can't prove this to BA of course, but if they'd just enforce two factor authentication (which works perfectly well for example for my bank, or for my car key app), there wouldn't be the same circular issue all the time as they'd have less worry about customers who do practice poor password hygiene.