British Airways Was Hacked and All My Points Are Gone. Here’s What I Had to Do.

I couldn’t log into my British Airways Executive Club account today.

And I received an email from British Airways:

British Airways has become aware of some unauthorised activity in relation to your Executive Club account.

This appears to have been the result of a third party using information obtained elsewhere on the internet, via an automated process, to try to gain access to your Executive Club account.

We understand this was login information relating to a different online service which you may have also used to access your Executive Club account.

Several fascinating things here:

  • This issue is widespread, reported on blogs and multiple frequent flyer forums. I had people tweet me asking whether my account was involved in the shutdown.
  • They appear to be implyig the hack was of Award Wallet (the only service I use to track my accounts). I’m skeptical. None of my other accounts have had any points drained.
  • Separately in the email they say the login was successful but no points were taken. I wonder how they then identified which accounts to lock down?

There’s something squirrely about the British Airways email, they just don’t strike me as being forthcoming.

The email contained a link to the password reset page. I entered my account number and that generated a password reset email. I reset my password (by simply entering a new one) and I had access to my account again.

All of my Avios points were gone.

This is apparently a temporary condition and they will let me know when I can spend my points again though I can call to get access to the points earlier.

Is it too cynical to wonder whether British Airways is all too willing to lock down points redemptions in advance of next month’s huge devaluation?

Update: It’s been pointed out to me that I may have misread the email.

We understand this was login information relating to a different online service which you may have also used to access your Executive Club account.

This may mean that the login information was used on another site, not that the other site was used to access BA.

About Gary Leff

Gary Leff is one of the foremost experts in the field of miles, points, and frequent business travel - a topic he has covered since 2002. Co-founder of frequent flyer community InsideFlyer.com, emcee of the Freddie Awards, and named one of the "World's Top Travel Experts" by Conde' Nast Traveler (2010-Present) Gary has been a guest on most major news media, profiled in several top print publications, and published broadly on the topic of consumer loyalty. More About Gary »

More articles by Gary Leff »

Pingbacks

Comments

  1. I’ve never used Award Wallet and had my points (all 193 of them) taken, so it’s not that.

    I have not received any communication at all from BA.

  2. We here at British Hairways will have all points available for your redemption needs back on April 28th Just in time for our massive devaluation 🙂

  3. BAHAHHAHA. I said the same thing. Lock down the accounts so that people can’t redeem until they Devalue.

    Nice job BA – way to cause a widespread panic. Glad your actual customers could get through on your phone lines today with all the other panic you caused.

  4. lost my 100+K points today. I wonder what the “Ex-Gratia” in the account transactions means?? That term shows on my account as well.

  5. This is fishy for a simple reason: if your credentials are stolen, and a thief logs into your account as yourself, will he be able to generate an activity that would result in the “Ex-Gratia” transaction record? Not likely.

    Considering BA is making changes to their systems tomorrow, I bet this was a botched code release.

  6. My password doesn’t work. I only had 500 avios in the account, waiting to hear from BA.

  7. My password had to be reset and my 100k points are gone. Did you say we need to contact them or what do we need to do?

  8. It must be only you high rollers who have lost your miles; my 4k are still there in the account, thank goodness; now I’ll be able to sleep tonight, knowing my miles are safe.

  9. BTW I wondered what Ex-Gratia meant:

    Ex gratia (/ˌɛks ˈɡreɪʃiə/;[1] also spelled ex-gratia) is Latin for “by favour”, and is most often used in a legal context. When something has been done ex gratia, it has been done voluntarily, out of kindness or grace. In law, an ex gratia payment is a payment made without the giver recognising any liability or legal obligation.

  10. I believe there was a legit hack of their system. It probably happened months ago as I heard reports of accounts being compromised before this. I bet they thought they had it handled and just realized the hack was deeper, so they took some section of accounts and drained the points out as a precaution.

  11. Mine are gone as well… Just not as many as Gary! Is this a glitch gone bad or hack? opinions?

  12. i cldn’t log on to family or sub accounts this afternoon, so i called, they told me that they expect it all to be fixed within a week, and that they have taken the points out of the accounts, until it’s all sorted.

  13. Perfectly valid possibility that this information was obtained from award wallet.

    Perfect valid reason for airlines to block access to third party services such as this.

    Of course it might inconvenience us and we may refuse to believe it, but it actually costs airlines money if their information is to be available at third party sites and this is a classic example why.

    Absolutely guaranteed that AwardWallet cannot actually afford first class information security, regardless of comments to the contrary. They probably can’t even afford to understand what security they don’t even have.

  14. Maybe it is Award Wallet- mine are gone with the same notation- my husband ( who doesn’t use AW) still has his. (Similar balances- circa 27K )

  15. @srptraveler @Wendy – plenty of folks who don’t use AwardWallet had their accounts in the same status, and AwardWallet says it wasn’t them, there’s no reason at all to believe it was awardwallet. The programs get hacked while awardwallet seems to offer better security AND TO IMPROVE SECURITY for the programs because by helping you check you account balances regularly you know right away when anything is amiss

  16. Are you sure this wasn’t a phishing scam? I got a similar email claiming to be from USAir, but I did not respond. Perhaps when you responded you provided them the access they needed to take your points?

  17. I don’t think the email suggests it was Award Wallet at all. I think that’s just your interpretation.

    To me what they’re saying is that you might have used the same email and password for BA as you used for another service (lots of people do this) and THAT service was compromised. So the intruder knew various emails and passwords and tried them against BA.com to see which ones would work, and apparently some did. Maybe.

    Or they’re just throwing blame off themselves when its too early for them to know anyway.

    Personally I use LastPass to generate random passwords for EVERY site I visit, and I can guarantee the passwords I used on BA for myself, and the wife were both UNIQUE. So that explanation doesn’t fly with me. Regardless, my points are missing. No email from BA at all by the way.

  18. My account and my SO’s account are intact. About 100k points in each. We don’t use award wallet, but we do use the same password as some other sites. Actually come to think of it, my password used to be my facebook password and was hacked previously and thus is probably out there to steal. I should really get around to changing it…

  19. Dear Adios Account holders
    In lieu of our many customers missing Adios points we are pleased to announce a special targeted point bonus to all those affected by the evil hackers at Award Wallet
    This way those customers affected may earn points while buying full fare tickets(seat assignments and baggage extra)
    This will allow our valued customers the opportunities to redeem while we sort out their emptied accounts
    Thank You for your patience and we will certainly have this sorted out no later than May 1
    Thank You
    This has been a message from your good friends at Adios Executive Club

  20. Been locked out of Award Wallet and BA Executive Club, so I assume my Avios are gone, too.

    So now I’m watching NCAA and changing passwords…

  21. My 121k points are gone too with the same “ex-gratia” commentary. And just as some Business Class availability appeared for my BOS-DUB-BOS trip… we’ll see what happens in the morning when I call to try to upgrade my Economy seats to Business Class.

  22. Neither my husband nor I can even log into our accounts. A pop-up message tells us our user names (which are our account numbers) are incorrect. Prior to today, this has never happened. We have not yet received an email from BA.

  23. I’m locked out of my account, too. Tried to change my password 3 times, and it didn’t work. I am absolutely livid, not so much at the apparent data breach (everyone’s liable to being hacked, I get that), but at the piss poor way BA is going about this, and at their lack of communication in doing so.

    I will likely still fly on BA from time to time, but will probably credit BA miles to another program. The odds of me becoming more invested in BAEC are dropping dramatically the longer this crap goes on.

  24. My large balance is intact. I do use award wallet but I do not allow them to store my password on their site.
    Also I use unique passwords for each account.

    Responding to an email to reset a password? Very poor judgment in my opinion. That could be a phishing attempt.

  25. My 200k points are gone and I find it deplorable that BA has not at least posted a general statement on its website regarding this issue. I gather we don’t need to call BA unless there is an immediate need to use miles (thank you Tim in Post #16) – so BA could reduce the service center calls if it was more forthcoming.

  26. Yep I got locked out today and had to phone. They verified all my info and I had to get a password reset. My 618K points are now zero but they promise they’ll restore them.They never sent me an email informing me.

    What a clusterf… !

  27. my household account frozen too. miles removed. i spoke to a member in the executive club who told me “THEY CALL IT A HACK WITH BRITISH AIRWAYS BUT IT’S ACTUALY AN AUDIT RUNNING ON BRITISH AIRWAYS TO PREVENT ANY FRADULENT ACTIVITY…AND THAT “WITHIN 7 TO 14 WORKING DAYS THE AVIOS WILL BE REINSTATED.”

  28. I had over 350k Avios points taken. I noticed that the person redeemed it for a stay in Dubai. When I cakkef BA they let me know the name of the guest and u reported it to Dubai police and the hotel. They didn’t do anything. BA out ex gratis on the remaining 59k of my points to keep it safe. It’s been over 4 weeks since I spoke to BA. They keep telling me its stil under invrstigation.

  29. I’m using Avios this weekend and they told me they would “borrow” Avios against the balance. What you bet many people are “borrowing” who have almost no Avios anyway.

    “Devaluation” indeed.

  30. i called them this morning and, after a 60 min wait, they told me their system has been hacked… They told me to chance password. More news should come later… No very professionnal. I am using AW but, all the others accounts are ok…

  31. I just checked, my account zeroed out too. I had to reset password before I could login. Around 38k points are gone with the description “Ex­Gratia ­ Manual Avios Adjustment”. No communication from BA so far. I will call them on Monday if I don’t see any updates. (FYI, I use Awardwallet, but so far hard to believe it would be them, none of my other AW-managed accounts are hacked).

  32. Kudos, Gary! I never would have known of this problem except from you. My 3-person household was hacked for 115,000 avios points. (None of us use award wallet.) BA locked us all out of our accounts, with no notice of any sort. Calling their US club number results in busy signals, but I did get through to the Reservations folks, who transferred me to the Fraud Dept. They say the points will be restored seven business days from today and they will confirm this via email.

  33. I just did an UR transfer and the points did not transfer immediately (or at all), so it looks like they might have shut down inbound transfers also. Crap!

  34. A quick question – what do those of us who were locked out of our account do if we a) have not received an email from British Airways and/or b) have tried requesting a password and still have not received any word from BA?

  35. I reset my password last night… When I logged in this morning (3/30/15), all my points were back in my account. Looks like they are working their way back through accounts and unlocking the Avios they had temporarily pulled back to avoid any further hacks. Both the withdrawal and deposit of the BA Avios showed “Ex Gratia…”

Leave a Reply

Your email address will not be published. Required fields are marked *