Maximise your Avios, air miles and hotel points

What happened with the BA and SITA data breach?

Links on Head for Points may pay us an affiliate commission. A list of partners is here.

Many HfP readers will have received an email from British Airways on Friday night concerning a data breach at SITA, an IT provider to the airline industry.

If you didn’t get it, it said:

Dear Customer,

We take the protection of your data very seriously.

We have been notified of a data breach at global technology company SITA, an IT services provider to many airlines around the world. SITA is not British Airways’ booking and reservations system provider and SITA’s breach does not involve our customers’ financial information or password as SITA does not have access to this data. Please be reassured that this incident was not a breach of British Airways’ systems.

Along with many other airlines, we do share limited information with partner airlines in order to enhance your experience when flying with them. We have been notified by SITA that some British Airways Executive Club Members’ names, membership numbers and some of their preferences, such as seating, has been impacted.

The password you use for your account is not held by SITA and has not been put at risk by this breach.

As a precaution, given the potential that customers have re-used passwords used for other websites, we are taking the following action to protect you:

* Please log into your account and reset your password
* Please create a new password that you have not used elsewhere
* Once your password has been reset and you have completed a verification step, you will be able to regain full access to your account

We know fraudsters try to use situations like this to their advantage. We will not contact you by phone and ask for your password – please do not reveal your password to anyone claiming to be from British Airways. If you need to contact us, you can do so via our contact centres.

We are sorry for the inconvenience caused and thank you for your continued support and cooperation in helping us to keep your information safe and secure.

British Airways”

How did the breach happen?

The majority of legacy airlines, including all Star Alliance ones, were impacted by this breach.

It was caused by a breach of SITA’s ‘Passenger Service System’, a service that handles transactions from ticket reservations to boarding.

Here is SITA’s statement:

SITA confirms that it was the victim of a cyber-attack, leading to a data security incident involving certain passenger data that was stored on SITA Passenger Service System (US) Inc. servers. Passenger Service System (US) Inc. (“SITA PSS”) operates passenger processing systems for airlines.

After confirmation of the seriousness of the data security incident on February 24, 2021, SITA took immediate action to contact affected SITA PSS customers and all related organizations.

We recognize that the COVID-19 pandemic has raised concerns about security threats, and, at the same time, cyber-criminals have become more sophisticated and active. This was a highly sophisticated attack.

SITA acted swiftly and initiated targeted containment measures. The matter remains under continued investigation by SITA’s Security Incident Response Team with the support of leading external experts in cyber-security.

If you are the customer of an airline and have a Data Subject Access Request in relation to the handling of your personal data, this request must be made directly to that airline in accordance with GDPR and data protection legislation. SITA is unable to respond directly to any such request.”

Multiple airlines were impacted

According to Lufthansa, it appears that intruders entered the reservation system of an Asian airline that is a Star Alliance member between 21st January and 11th February.

All Star Alliance airlines share details of all of their elite members with each other, to allow status members to be identified.

What is odd is why other non-Star Alliance airlines are contacting members. It doesn’t explain why BA believes that Executive Club passenger data was being kept by this Asian airline.

Airlines reported to have emailed passengers about the breach include Lufthansa (reportedly the largest data set), Air New Zealand, Singapore Airlines, SAS, Cathay Pacific, Jeju Air, Malaysia Airlines and Finnair.

Most of the airline emails I saw were pretty sanguine. They said, in effect, “Yes, someone has got your frequent flyer account number, but you shouldn’t worry about it because they don’t have your password.

This is correct. Some, but by no means all, stolen data sets reportedly had a name attached to the frequent flyer number. The only way your account could be hacked is if your name – a name presumably shared by many people – appears on another hacked ID list from a different company, and the password leaked in that breach was the same as your BA password. Unlikely? Yes, but clearly not impossible.

What did British Airways do?

For once, British Airways took an IT breach far more seriously than anyone else. Perhaps too seriously.

On Friday night, it locked people out of their BA accounts. Unfortunately, ba.com has a very complex and buggy system for resetting passwords, which doesn’t work properly if you are logged in. It also requires 2FA. Weirdly, once you had reset your password, many people were asked to change it again and could only regain access after the 2nd change.

Many people were blocked from logging in via their membership number, and only email addresses were being accepted. Some couldn’t use their email address either but found that their user name, which BA tried to phase out years ago, worked. People appeared to have specific difficulties resetting passwords using Chrome, whilst Firefox worked fine.

And then …. it went away

Overnight from Friday to Saturday, BA appears to have removed all blocks. If you spent time resetting your password on Friday, you had wasted your time. If you’d left your account alone it would have been functioning fine yesterday.

For some reason BA seems to have decided that it had overreacted. This is possibly due to a call centre meltdown from people who were trying to reset their passwords but couldn’t. BA may have decided that it couldn’t afford to have its telephone lines blocked out with password queries for the next few days.

All very odd. However, as they say, ‘there’s nothing to see here’.

Although, if you feel that your mental health has been severely impacted by this, write down the details. You may be in for a few quid ……


How to earn Avios points from UK credit cards

How to earn Avios from UK credit cards (December 2021)

As a reminder, there are various ways of earning Avios points from UK credit cards.  Many cards also have generous sign-up bonuses!

There are two official British Airways American Express cards with attractive sign-up bonuses:

British Airways BA Amex American Express card

British Airways American Express

5,000 Avios for signing up, no annual fee and an Economy 2-4-1 voucher for spending ….. Read our full review

British Airways BA Premium Plus American Express Amex credit card

British Airways American Express Premium Plus

25,000 Avios and the UK’s most valuable credit card perk – the 2-4-1 companion voucher Read our full review

You can also get generous sign-up bonuses by applying for American Express cards which earn Membership Rewards points, such as:

Nectar American Express

American Express Preferred Rewards Gold

Your best beginner’s card – 20,000 points, FREE for a year & two airport lounge passes Read our full review

American Express Platinum card Amex

The Platinum Card from American Express

30,000 points and an unbeatable set of travel benefits – for a fee Read our full review

Run your own business?

We recommend Capital On Tap for limited companies. You earn 1 Avios per £1 which is impressive for a Visa card, along with a sign-up bonus worth 10,500 Avios:

Capital On Tap Business Rewards Visa

The most generous Avios Visa or Mastercard for a limited company Read our full review

You should also consider the British Airways Accelerating Business credit card. This is open to sole traders as well as limited companies and has a 30,000 Avios sign-up bonus:

British Airways Accelerating Business American Express card

British Airways Accelerating Business American Express

30,000 Avios sign-up bonus – plus annual bonuses of up to 30,000 Avios Read our full review

Click here to read our detailed summary of all UK credit cards which earn Avios. This includes both personal and small business cards.

(Want to earn more Avios?  Click here to visit our home page for our latest articles on earning and spending your Avios points and click here to see how to earn more Avios this month from offers and promotions.)

Comments (46)

This article is closed to new posts. Discussion continues in the HfP Forums.

  • Neil Murray says:

    It drove me up the wall. It wouldn’t let me in with my EC number and password (apparently you use an email addie now, not your EC number – when did that change come in?). Then having changed the PW, it simply went back to saying it wasn’t recognised. As Rob says I went round in bloody circles. Had to do three or four PW recovery cycles for it to work. There again, I was using a Mac and Safari.
    Anyway, sorted now and a new PW probably isn’t a bad idea. I use a password keeper, which is a Godsend.

  • Robin Henagulph says:

    Procrastination pays!

  • ScienceTeacher says:

    For the thousands that spent hours phoning BA and trying in vain to reset their password … why? Were you all trying to book flights that very evening?

  • T W says:

    Rob, please could you lead a class act? I’m fed up with this.

  • Zumodenaranja says:

    Rob is a class act 🙂

  • mr_jetlag says:

    As one of the first to sound the alarm I felt a little let down that I had no problems accessing my account to change the pwd. Missed out on the fun it seems 🙂

This article is closed to new posts. Discussion continues in the HfP Forums.