This post has partner links that I may receive compensation for at no cost to you. Thank you for supporting my site!
Don’t panic. That’s the wise advice from Douglas Adams’ “The Hitchhiker’s Guide To The Galaxy”. It’s a pretty good thought to remember when you’re traveling and the unexpected happens.
Yesterday, many people were surprised to find that they were unable to access their British Airways Executive Club accounts.
Their login credentials were not accepted, so they requested password resets. Once they were back in their accounts, the accounts showed an Avios balance of zero, with all the miles having been removed with an action called “ex-gratia”.
Naturally, this was concerning to the customers who first discovered the issue. However, in the ensuing hours, word spread quickly about what had happened, both via people who had called in to customer service, as well as from British Airways themselves via social media & e-mail. FlyerTalk has a long thread with the latest information people have gathered.
Here’s the full text of the e-mail British Airways has been sending out (though not everyone affected has received it so far, myself included – the text comes via Miles from Blighty).
British Airways has become aware of some unauthorised activity in relation to your Executive Club account.
This appears to have been the result of a third party using information obtained elsewhere on the internet, via an automated process, to try to gain access to your Executive Club account.
We understand this was login information relating to a different online service which you may have also used to access your Executive Club account.
We would like to reassure you that, although it does appear that the login attempt was successful, at this stage we are not aware of any access to any subsequent information pages within your account, including your flight history or payment card details.
We have now locked down your online account to protect it from further access. As part of the lock-down process we have also changed your password and you will need to reset it before you are able to use your account.
Please click here and follow the password reset process.
If you use the same login details for your Executive Club account as you do for your online accounts with any other organisations, we would also recommend that you change the passwords for these accounts, as well as exercising vigilance regarding any unusual or suspicious use of your personal data.
For a short period of time, as a precaution, we have also suspended the use of Avios on your account. We will let you know when this suspension period is over.
In the meantime, however, if you wish to spend your Avios please contact us via your local Executive Club service centre. We will be able to reactivate your account by asking you some additional security questions.
We are sorry for the concern and inconvenience this matter may have caused you and would like to reassure you that we are taking this incident seriously.
British Airways Executive Club team
I tried logging into my account, only to find that I am indeed one of the affected accounts. Yet I’m not worried.
Here are my thoughts:
1) Don’t panic. If you don’t need to make an immediate Avios redemption with BA, don’t call customer service
All this will do is make things more difficult for people who have legitimate redemptions to make ASAP and people who are traveling and need assistance. It has been made (somewhat) clear what has happened regarding the account freezes, so there’s no need to be the 100,000th person to hear the same story. While the specter of the upcoming Avios devaluation on April 28th is making some people legitimately concerned, there is still another month before that happens. Hopefully BA will extend the devaluation date if people are locked out of their accounts for an extended period, but that remains to be seen. Whatever the case, BA should know which accounts they have frozen and the amounts that they zeroed out, so they can restore everything once their site has been secured again. Now if weeks go by and our points aren’t restored, then by all means let’s get the torches and pitchforks out.
2) Always treat your frequent flier accounts like the currency that they are
Many of us had Avios balances that are in the six or seven figures, meaning the value of these accounts is in the thousands of dollars or pounds. You wouldn’t have a weak password for your bank account, so make sure all of your frequent flier accounts have strong, unique passwords as well. Additionally, I monitor my accounts frequently through AwardWallet (easier to do it all in one place), but that brings me to my next point…
3) What caused this to happen?
British Airways has not made this clear. While some have speculated that it was via AwardWallet, AwardWallet claims this was not the case. Non-AwardWallet users have reported that their accounts have been frozen as well. There is also speculation that another tracking system called TripIt could be the issue. Whatever the case, BA acted preemptively and likely froze many more accounts than were impacted. I don’t use TripIt to track balances, just AwardWallet. This is actually good if they were overly cautious, as many companies hide the impact of hacks, with news leaking out much later. Of course, it’s still possible for us to learn that the actual breach happened a while back. I’d rather have British Airways proactively freeze my account as a precaution than leave whatever it was that was breached in place while they investigate and fix it.
4) Why has British Airways’ communication about this account freezing issue been so bad?
Yeah, it’s been bad, but they’re in a tough place. We don’t know what percentage of their accounts they have needed to freeze. They don’t want to cause confusion and panic among people who aren’t affected. That said, they should be at least posting a link to the e-mail above for people who try to log in and find that they can’t.
Regarding the e-mails, I can’t say for sure why not everyone has received them, but there could be several reasons. One, if people have opted out of communications, those opt-outs may have been applied to this. Two, it’s not necessarily easy to send out a mass e-mail to a brand new e-mail list on short notice, especially given that this all unfolded on a Friday afternoon in the UK. It’s not as if British Airways maintains a mailing list called “Accounts that have been frozen as security precaution”, so some affected accounts may have been left out of the notification, or they could still be doing them in batches. There are a lot of people at British Airways who have been putting in an unexpected long weekend with this one.
Their customer service agents have been swamped by this. Here’s a screenshot from their Twitter account yesterday.
If you do absolutely need to contact British Airways right now, please be respectful and patient. Their customer service staff had nothing to do with causing this issue, so being rude to them will do nothing to help.
In the coming days, we’ll find out more, and we’ll all get our Avios back into our accounts. In the meantime, relax & enjoy the rest of your weekend.