380,000 customers hit by British Airways hack
Written by Hannah McGrath
British Airways (BA) is investigating the theft of personal and financial data of 380,000 customers after hackers gained access to its website and mobile app.
The airline is urging customers who believe they may have been affected by the data breach to contact their bank or credit card provider, after revealing that its systems were compromised by a sophisticated hacking operation between 21 August and 5 September.
British Airways said the stolen data did not include travel or passport details. It reported that the breach had been resolved and the website was now working normally.
Alex Cruz, chief executive of British Airways told the BBC hack was “a sophisticated, malicious criminal attack” which resulted in the theft of names, addresses and credit card information including CVV security numbers.
He apologised to customers who were concerned that their data had been compromised and pledged full compensation to anyone who had suffered financially as a result of the breach. BA says it will be contacting customers directly with updates.
The company has also taken out adverts apologising for the incident in Friday’s newspapers.
Cruz explained that the company was working to investigate the incident with the police and the Information Commissioner’s Office. The National Crime Agency and National Cyber Security Centre are also looking into the incident.
"At the moment, our number one purpose is contacting those customers that made those transactions to make sure they contact their credit card bank providers so they can follow their instructions on how to manage that breach of data,” Cruz told the BBC Radio 4 Today programme.
BA customers have taken to social media to vent their frustration, with many complaining about a lack of communication about the breach.
Some reported delays in receiving an email update sent out at 9pm on Thursday evening regarding the hack, while Cruz confirmed that a small number had received a blank email in error and received a full update shortly afterwards.
One flyer who made a booking during the affected period, tweeting under the name Gemma Theobold, posted: "My bank... are experiencing extremely high call volumes due to this breach! Couldn't do anything other than cancel my card... not how I wanted to spend my Thursday evening."
A statement from British Airways said it was:“Investigating, as a matter of urgency, the theft of customer data from its website, ba.com and the airline’s mobile app. The stolen data did not include travel or passport details.”
“British Airways is communicating with affected customers and we advise any customers who believe they may have been affected by this incident to contact their banks or credit card providers and follow their recommended advice,”it added.
Responding to the incident, Paul Farrington of app security company CA Veracode, called for more consistency in security and app performance in the airline industry.
He said: “The British Airways breach is just another example of how, as the amount of personal data held by organisations continues to grow, hackers are finding more sophisticated ways to gain access to this data and use it to make a profit.
"Furthermore with GDPR now in full force the board at BA will have to consider their exposure to regulatory fines, especially when it took 16 days for the breach to be detected."
Ross Brewer, vice president at security intelligence firm LogRhythm, said:“The scale and nature of this attack is astounding, with around 380,000 customers knowingly affected. We have heard many times of data breaches involving the theft of personal information which, whilst still very serious, doesn’t often include financial details."
He added: "This type of attack highlights why it’s incredibly important that businesses are able to automate threat detection."
Banks have been scrambling to respond to queries and card cancellation requests from customers concerned they may have been affected.
Monzo, a digital challenger bank, were able to track banking customers who had used their card to make transactions with British Airways during the affected period.
Tom Blomfield, chief executive of Monzo, said the bank had automatically cancelled the cards of those whose details may have been compromised.
He tweeted: "11:07pm, we'd ordered 1300 replacement debit cards for customers who'd spent money with British Airways between August 21 and September 5 this year."