happyintheair

Just received this.

Not a good time for a new breach, even if this doesn't look like BA's fault
________________________________________
From: British Airways Executive Club <[email protected]>
Sent: 05 March 2021 18:21
To: HappyintheAir
Subject: Important message from British Airways

Dear Customer,

We take the protection of your data very seriously.

We have been notified of a data breach at global technology company SITA, an IT services provider to many airlines around the world. SITA is not British Airways’ booking and reservations system provider and SITA’s breach does not involve our customers’ financial information or password as SITA does not have access to this data. Please be reassured that this incident was not a breach of British Airways' systems.

Along with many other airlines, we do share limited information with partner airlines in order to enhance your experience when flying with them. We have been notified by SITA that some British Airways Executive Club Members’ names, membership numbers and some of their preferences, such as seating, has been impacted.

The password you use for your account is not held by SITA and has not been put at risk by this breach.

As a precaution, given the potential that customers have re-used passwords used for other websites, we are taking the following action to protect you:

* Please log into your account and reset your password
* Please create a new password that you have not used elsewhere
* Once your password has been reset and you have completed a verification step, you will be able to regain full access to your account

We know fraudsters try to use situations like this to their advantage. We will not contact you by phone and ask for your password - please do not reveal your password to anyone claiming to be from British Airways. If you need to contact us, you can do so via our contact centres.

We are sorry for the inconvenience caused and thank you for your continued support and cooperation in helping us to keep your information safe and secure.

British Airways

Jordi14

Great !

Just tried to change my password, but I cant access my account anymore.

becks1

Same! I successfully changed mine, but now I can’t log into my account with the old or the new password.

MatJarosz

Got the same email, I'm trying to log in to BA.com to change my password, but it took me to a different login page and now it's coming back with an error: We are not able to recognise the membership number that you have supplied. Please check and re-enter.

Anyone else experiencing the same error? I'll try to click on "Forgotten PIN/Password" and see what happens

Edit: Looking at the replies above, it's not just me. Throught my account was genuinely hacked...
Edit 2: Requesting a password reset has done the job. This was followed by a text message code verification (which should be made permanent imho) and another password reset. Either way, I'm in.

ThatT1Feeling

Interesting. I got the same message from Lufthansa earlier today, although SITA wasn't directly named. Seems many airlines will be in a similar situation.

I can't log into ba.com either.

Blackheathflyer

I have had the same email and could not then login into my account using the old details. I hit the forgotten password link and that did the trick. I had a subsequent authentication process using SMS/email to go through which involved a second change to the password.

Nephoi

got the mail, changed the passwort. can login.

Nephoi

wonderful...

"We will not contact you by phone and ask for your password - please do not reveal your password to anyone claiming to be from British Airways. If you need to contact us, you can do so via our contact centres."

i got a text with the verification. thats a contact by phone.

geo1005

My experience as well! That. Is. Pathetic.

wb1969

Same here.

Nephoi

on every contact with BA on the phone when something isnt working im just saying "you struggle with BA's IT? thats funny. me too. thats why i have to call you"

Adam Smith

Reset BA passwords because SITA was hacked, even though SITA doesn't have any BA password info? Puh-lease. So (based on what I read in another thread) AI's FFP info was hacked at SITA and maybe some people re-used their AI FFP passwords for BA? People re-use passwords across dozens or hundreds of websites. Is BA going to make us reset our passwords every time some other website gets hacked?

vintagepilot

Are we assuming that the email is genuine?

One of us, who uses BA rarely, got an odd POUG email earlier today and then this. And would it normally say "Dear Customer'?

larryflyer

Yes, that’s exactly it. TWO password changes are required. It gets confusing when you do the second password change, as you are uncertain if “existing” password is the “original” password, or the new one you specified a few minutes earlier (it is!).

Not well handled.

Thomathy

Likewise. I am not a BA-basher but the IT really is so poorly-done. For a start, I don't understand why I have been sent this email and required to change my password, if, as they say, no password data has been leaked (presumably when they say 'data' they mean hashes or something, I can't imagine they would store actual passwords?) The email says it is because I 'may' use the same password on multiple sites. Well, I don't, and I don't really appreciate BA locking out the account every few months on the grounds that they think I might. I'd consider my banking details to be quite an important item from a security point of view, and yet they don't email me periodically to say they have lost yet more data, or to make baseless accusations of password re-use.

Having received the email and then gone to ba.com (not by the link in the email, just as a common-sense measure), I sign in with existing credentials (entering my email address at the prompt that says 'email or username') and reach a page titled '2-Factor Authentication'. "Great!" I think. "Finally BA are adding 2FA to the account, about time too." Turns out, this isn't a page about having 2-factor on the account at all. It is merely a one-time SMS code that they send, in order to change the password.

Disappointing, but no matter. I am next told to change my password to a new secure value, the message saying that I can use numbers, upper and lower case letters, and special characters. I insert a 12-character string of randomised characters which happens to include a % sign. At which point the BA site tells me that my selected password is invalid because of the % sign.

I then insert a new random string, not including any special characters at all, and the site accepts this and tells me to log in to 'confirm' the details. I log in with the new details at which point I receive a message saying "We are unable to recognise your membership number."

No matter, press 'reset password' at which point a prompt appears which inexplicably asks for something called 'Login ID' instead of the usual 'Email or username' that BA ask for. I check through and haven't seen anything before called 'Login ID' so I try the BAEC membership number. This works and I receive a password reset link.

I go through the password reset process. The password change is accepted but I cannot log in, always receiving the same message that the 'Membership number, password or PIN is not recognised.'

On calling BA this is because my account is locked and the rep explains that it is probably because I have tried to change my password. The process for unlocking it is that he sends an email to a department and then after a few days it is unlocked.

It's just so poorly done. And such a puzzle, as there are so many bits of the IT that do really work pretty well, given what they have to glue together. But why this endless issue with credentials for the BAEC accounts? I don't wish to be obliged to change that password on each occasion that an unrelated company may have a breach, on the grounds that I 'may' use the same password elsewhere. I don't. I can't prove this to BA of course, but if they'd just enforce two factor authentication (which works perfectly well for example for my bank, or for my car key app), there wouldn't be the same circular issue all the time as they'd have less worry about customers who do practice poor password hygiene.