Breach, Compliance Management, Data Security, Privacy

British Airways says rewards accounts hacked, locked down

British Airways has “locked down a number” of customers' frequent flyer accounts after an unauthorized third party apparently tried to access some Executive Club and Registered Customer accounts.

In a statement on its website, the airline noted that the attackers seemingly used “'login' information relating to a different online service which customers may have also used to access their Executive Club accounts.”

Saying that it was taking the incident “seriously,” the company apologized for any inconvenience it had caused and tried to reassure customers that while the login attempt appeared to be “successful on a small percentage of accounts,” it was currently “not aware of any access to any subsequent information pages within accounts, including flight histories or payment card details.”

To protect customer data as well as their Avios reward miles, British Airways locked down the accounts and told customers to reset their passwords. “The locking of accounts by British Airways means any locked accounts will automatically show the Avios balance as zero, as we have protected those in our systems,” the statement said, noting that it was hoping to “unlock significant numbers of accounts.”

The airline urged customers to change passwords on any other online accounts for which they might use the same login details and to look for “unusual or suspicious use” of their data. But Jovi Umawing, a malware intelligence analyst at Malwarebytes, said, in comments emailed to SCMagazine.com that the lack of information coming from the airline “only makes it more difficult for Executive Club members to identify and lock down any weaknesses in their online accounts.”

In the last year, hackers have targeted airline frequent flyer customers. Still, Jonathan Sander, Strategy & Researcher Officer at STEALTHbits, said in comments emailed to SCMagazine.com that, if the hackers “were trying to fly under the radar and steal some points, picking on frequent flyers that obsess over every mile earned may have been a bad choice.”

Sander laid at least some of the blame on those passengers, though, noting that if “access was gained using email and password data stolen elsewhere, then these frequent flyers also made a bad choice by ignoring the often repeated advice from security experts not to use the same password for multiple sites or services.”

Those practices, he said, may have “cost fliers hard-earned miles” if they were indeed stolen unless British Airways will “take the hit and give customers back what was taken.”

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.