While the airline says only a small portion of customers are affected and no names, addresses or financial data were accessed, British Airways also says it was forced to freeze all affected accounts while the incident is being investigated.
“British Airways has become aware of some unauthorized activity in relation to a small number of frequent flyer executive club members,” the airline stated. “This appears to have been the result of a third party using information obtained elsewhere on the Internet, via an automated process, to try to gain access to some accounts.”
“We would like to reassure customers that at this stage we are not aware of any access to any subsequent information pages within accounts, including travel histories or payment card details,” British Airways added. “We are sorry for the concern and inconvenience this matter has caused and would like to reassure customers that we are taking this incident seriously and have taken a number of steps to lock down accounts so they can no longer be accessed.”
Malwarebytes malware expert Jovi Umawing told eSecurity Planet by email that the relative lack of information provided by British Airways makes it hard for Executive Club members to feel confident in the security of their accounts. “British Airways frequent flyers who think they may be affected are advised to follow the company’s lead and change their account passwords,” she said.
“Given the suggestion that details from another source might have been used in this attack, it might be a good idea to start using a password manager and ensure sensitive login information isn’t being shared between sites,” Umawing added.
STEALTHbits strategy and research officer Jonathan Sander said by email that it’ll be interesting to see how British Airways follows up on this. “Will bad password practices cost fliers hard-earned miles, or will BA take the hit and give the customers back what was taken? In a market as competitive as air travel, rewards programs are a way to keep customers loyal, but now BA will be forced to cause some pain by adding more security steps to their process,” he said.
Regardless, VASCO Data Security vice president John Gunn said these types of attacks are starting to have a tangible impact on companies’ relationships with their customers. “We are rapidly approaching the day when consumers are collectively inconvenienced enough by repeated hacking incidents that they will start selecting merchants and business partners based on the level of security they offer,” he said.
“It will become an insurmountable obstacle to success for merchants who do not offer two-factor authentication to their customers,” Gunn added.