British Airways E-Mails About Hack Just A Few Days Late

British Airways AviosLast week many of us were locked out of our British Airways Avios accounts. When we changed our passwords and got back in, we found our account balances had been wiped out.

This led me to write the post, Hey British Airways, Where Are My Avios?

BA let me know through Twitter that the Avios that went adios would be re-credited. Sure enough, right after the weekend and quicker than I had expected my Avios had returned to my account.

Besides responding to my tweet, British Airways failed to communicate anything about what was going on with my Avios during this process.

Well what do you know, after my Avios were reinstated, I received an e-mail (the following day) from British Airways with the subject: “British Airways Executive Club password reset“.

Here is the message:

Dear Michael W.,

British Airways has become aware of some unauthorised activity in relation to your Executive Club account.

This appears to have been the result of a third party using information obtained elsewhere on the internet, via an automated process, to try to gain access to your Executive Club account.

We understand this was login information relating to a different online service which you may have also used to access your Executive Club account.

We would like to reassure you that, although it does appear that the login attempt was successful, at this stage we are not aware of any access to any subsequent information pages within your account, including your flight history or payment card details.

We have now locked down your online account to protect it from further access. As part of the lock-down process we have also changed your password and you will need to reset it before you are able to use your account.

Please visit the British Airways website and follow the “Forgotten PIN/Password?” link, which can be found in the top right hand corner of our main home page.

If you use the same login details for your Executive Club account as you do for your online accounts with any other organisations, we would also recommend that you change the passwords for these accounts, as well as exercising vigilance regarding any unusual or suspicious use of your personal data.

Once again we are sorry for the concern and inconvenience this matter may have caused you and would like to reassure you that we are taking this incident seriously.

British Airways Executive Club team

When I saw this, I wondered a couple of things

  1. Did I need to reset my password again?
  2. Did they remove my Avios again as a precaution

It turned out that the answer to both questions was no.

After reading the e-mail, I realized that this was the message that BA should’ve sent to all of us when our accounts were locked and our balances were brought to zero.

So why did British Airways wait to send out this message after our accounts were restored back to normal? It seems like they did things a bit out of order…

4 thoughts on “British Airways E-Mails About Hack Just A Few Days Late

  1. Glenn- I totally agree with your points. The handling of this whole situation was definitely best described as bizarre.

    Kenny- It’s definitely not right but at least our Avios were protected. I guess you’d give BA an F for how they handled the situation? I’d prob grade them a C.

    1. To be honest, I would have to agree with your overall grade of C. Functionally, the end goal was met: My Avios were protected, though it was annoying not to know what was going on (it would have really been bad if I was needing to book using Avios during that time).

      For Communication, definitely an F (I can’t think of any excuse for keeping people in the dark), but overall a C.

  2. Lucky you…at least you got an email.

    Also you can’t email them for support. You either have to call and wait for hours on hold, or berate them on social media. I chose the latter and finally got a weak acknowledgement from them on the 3rd try.

  3. Like you I believe that BA did basically the right things. They detected the issue. They pro-actively removed points from accounts to protect them. They forced a password change. They reinstated the points. All fine.

    And its even fine if the email went out a little after they started all of this. But here I’m talking hours not days. The team trying to prevent the fraud is of course front running this, but the social aspect being ignored for a week? Seriously?

    Not cool.

Leave a Reply

Your email address will not be published. Required fields are marked *