14 DAY TRIAL // A significant number of frequent flyer accounts of British Airways customers were accessed without authorization by a third party, forcing the company to lock them down and reset the reward points balance to zero to avoid further damage.
The customers have been notified that the passwords for their account were reset and have been given instructions on how to regain access to the profile.
Recycled credentials at fault
It appears that the breach occurred at a different service, where customers had registered for an account and used the same credentials as those for the British Airways Executive Club profile.
In the letter sent on Friday, the company says that, although the unauthorized log-in attempts were successful, it has no evidence that other information except that related to the Executive Club reward program was accessed by the intruders.
This means that details about flight history and personal information, which could be used in phishing operations, and payment card data were not exposed to the trespassers.
British Airways has also announced that the use of Avios, the reward points given to frequent flyers, has also been suspended as a precaution.
The benefits are still available, though, and can be re-activated via the local Executive Club service center, by answering some security questions.
Reward points will be restored
The company has millions of customers, but according to online sources, the number of individuals impacted by this incident amounts to tens of thousands.
Avios can be used to get free flights (taxes, fees and carrier charges excluded) to any available destination in the world, for upgrades or for getting a discount on regular bookings.
Since they are as good as cash, it is easy to understand why these would be attractive to cybercriminals, especially when there are online services specialized in trading them for cash or gift cards to retailers.
Some people have accumulated over 70,000 reward points, and at the moment the company is working on restoring the balance, although no timeframe has been given. Others report Avios in excess of 100,000.
One customer, with about 700,000 reward points in his account, said on Sunday that he managed to access the profile by resetting the password following the “forgotten password” instructions. This happened prior to receiving the email from British Airways detailing the incident and it is unclear whether the Avios were also restored.