Thousands of British Airways frequent flyer accounts were accessed after hackers used information collected from a third party to try to gain access to some accounts.
In a statement, BA said that the access was “login information relating to a different online service which you may have also used to access your Executive Club account”.
It said: “We would like to reassure you that, although it does appear that the login attempt was successful, at this stage we are not aware of any access to any subsequent information pages within your account, including your flight history or payment card details.
“We have now locked down your online account to protect it from further access. As part of the lock-down process we have also changed your password and you will need to reset it before you are able to use your account.”
BA recommended changing passwords for any accounts using the same credentials and apologised for “the concern and inconvenience this matter has caused”.
As a precaution, BA has suspended the use of Avios on some accounts, the currency of the frequent flyer programme. From the 27th March, a large number of people found that their Avios balance had been reset to zero with a deduction showing on their list of transactions.
Brian Spector, CEO of Certivox, said: “Reusing stolen logins from one service to another is one of the oldest password related scams out there, but unfortunately something that will continue to happen whilst companies insist on using this outdated authentication method.
“Whilst British Airways has communicated proactively with its users and is working to determine the scale of the problem, the reputational damage has already been done.”
Charles Sweeney, CEO of Bloxx, said: “BA is yet another organisation in a long list of high profile brands to fall victim to hackers. Like those that have gone before it, the company will want to act quickly to reassure customers. However, the route of the attack – using data gleamed from a third party elsewhere on the internet – will raise questions about how confident the company can be in these assurances and what other information is out there that could be used against it.”
[…] the case of the British Airways incident, a third party “using information obtained elsewhere on the internet, via an automated process, […]