There barely seems to be a week go by without a report of hacking or theft of data. Yesterday, BA.com said that almost 400,000 people’s details had been stolen. Here’s a rundown of what to do if your email address is hacked and if other details have been stolen.
BA has confirmed that financial and personal data was stolen from 380,000 customers. It affects people who made a booking or changes to their booking online or via BA’s app between:
- 22.58 pm on August 21st and
- 21.45 on September 5th inclusive.
SAVVY TIP: BA says this doesn’t affect people who logged in to check in, update passenger information and/or print out boarding passes.
Executive Club accounts were not affected.
BA has emailed the customers affected, although some customers received emails with a subject header and no text. BA says they’ve been contacted again.
What data was stolen?
All the personal and financial information you submitted or changed were stolen. BA says that travel details and passport information was not stolen. Information that was accessed includes:
- Names, addresses and email addresses
- Credit card numbers, expiry dates and the three-digit code on the back,
- Telephone numbers.
What should you do?
Contact your bank or credit card provider. They will tell you what to do next. BA has already said it will compensate all customers who’ve lost out. There’s a bit more information on the hack on BA’s website.
UK Finance, which represents the card providers, has this advice:
- Check your bank and credit card statements regularly and if you spot any unfamiliar transactions, contact your bank or card company immediately. You will get a refund of any money that’s been taken fraudulently on your debit or credit card.
- Watch out because criminals may use the news of the data breach as an opportunity to trick you into revealing personal or financial information. A genuine bank or organisation will never contact them out of the blue to ask for their PIN, full password or to move money to another account.
- Be aware that criminals will often use the publicity around data breaches as a chance to pose as a genuine organisation, including banks, police officers, retailers and telephone or utility companies. Often the criminal will pretend to be from the impacted company, such as British Airways, or claim they are dealing with an issue resulting from the data breach.
SAVVY TIP: Fraudulent emails, phone calls or text messages often claim there has been fraud on an account or the customer needs to “verify” or “update” details. The communication often suggests the request is urgent or asks for remote access to the customer’s computer.
Using the data breach as a cover story, the criminal will then attempt to get the recipient to disclose personal or financial information, which they will then use for their own fraudulent purposes.
What to do if your email address is hacked
If a hacker ‘only’ takes your email address and, for example, encrypted and hashed passwords, there’s a limit to what they can do. However, it’s different if you use this password for other accounts. That’s especially true if valuable information is stored by these other websites.
SAVVY TIP: It’s hard to use different passwords for each account if you have lots of different ones, but it’s such a good security habit to get into. Don’t keep a record of your passwords on your computer because that could be compromised by malware.
If you find out that financial details or a lot of personal information is stolen, such as your address, date of birth and full name, you should check your bank statements. Do this after you’ve changed your password if you bank online. Next, request a copy of your credit reference file. There are four credit reference agencies: Crediva, Equifax, Experian, and TransUnion. TransUnion used to be called Callcredit and it offers a free to use consumer score and file service called Noddle. The credit reference agencies each have their own scoring systems and will tell you your credit score. They are usually free to use, apart from Equifax. If you use Equifax, you get the first 30 days free, and then pay £7.95 per month. There are other companies, such as ClearScore, which repackages credit reference agency data (in ClearScore’s case it’s Equifax’s).
Full Disclosure: I write an editorially independent newsletter for Noddle, who pay me to do so. But Noddle do not pay me to publicise or advertise them.
There’s information on How to get hold of your credit report or credit reference report – and why you should in the section called ‘Everyday Money’.
Choosing strong passwords
Determined ID fraudsters can use computer programmes to work out your password. It’s nothing more sophisticated than trying every word in the dictionary against your password. This includes country and place names as well as recognised words. Even if they only manage to access a small number of email accounts, they can then use these accounts to set up others.
Choose your password carefully. I met with a web security whizz who told me – amazingly – that some people use obvious words like ‘password’ as their password. If you want to make life difficult for potential ID fraudsters, use two or three unrelated words joined together as your password.
SAVVY TIP: If your password is ‘banana’, this can be cracked relatively easily by ID fraudsters if they have your email details. Even if you change some letters to numbers, so it reads ‘ban8na’ you’re unlikely to defeat them as they buy software programmes with dictionaries where numbers are substituted for letters. A stronger password would be something like ‘bananadesk’. This is because it would take fraudsters such a long time to run through all the possible two word combinations that they may not bother. If your password is something like desk752, that’s also strong because it’s effectively two words.
Never use one password for all your accounts. These days many of us have so many online accounts that it’s easier to use one password for all of them. However, it’s much safer to use separate passwords (or variations of existing ones) for your accounts.
Be vigilant for spammers
A few years ago phishing and spam emails were decidedly amateur affairs. But today they’re much more sophisticated. It’s true that 99% of people may ignore them but the 1% who are taken in can prove lucrative.
- Watch out for spam and phishing emails. Don’t click on any attachments — and double check them even if they’re from names you know (such as HMRC, your bank or recognised software providers).
SAVVY TIP: Spam or phishing emails can be very convincing. But clicking on one can mean you install malicious software that’s designed to steal passwords. If you think you may have been hacked, run an anti-virus scan. Use a different anti-virus company to your regular provider, but be careful about the free anti-virus software you choose. Some of these may not be genuine.
Keep your mobile data safe
If someone else loses your personal details or it’s hacked into, there’s not much you can do about it. However, you can make sure your data is as safe as possible on your PCs and mobile phones etc.
- Don’t sell your mobile phone/PC without clearing the data. A recent survey found that half of mobile phones sold on eBay and second hand shops had sensitive data on them. They only tested 35 phones so it was a pretty small sample, but the results are still worrying. Some phones had credit card data and passwords on them. It’s not enough simply to delete the data as it will still be present on the phone.
SAVVY TIP: To get rid of data completely, you should restore the phone to its factory settings — and don’t leave your SIM card in the phone when you sell it.
SavvyWoman email newsletters: If you found this information useful why not sign up now to receive free fortnightly email newsletters with money saving tips and help? You can sign up at the top of any page on the website and your details won’t be passed to any other company for marketing purposes.