Spread the love

British Airways is contacting two groups of customers not previously notified that their personal data might have been stolen, following the discovery that a “sophisticated, malicious attack” by hackers last month was much more extensive than initially thought.

The revelation comes just days after Cathay Pacific revealed a similar cyber attack, with a hacker gaining access to the personal information and details of millions of customers. See: Cathay stocks dive after hacker penetrates security

On 6 September 2018, in an attack on British Airways IT systems that targeted payment cards, cyber-criminals stole personal and financial information from 380,000 customers who booked direct online with BA.

The crime, described by BA chief Alex Cruz at the time as “a very sophisticated, malicious attack”, let criminals obtain the personal and financial details of customers who made bookings on BA’s website or app over a two-week period: between 22:58 BST 21 August 2018 and 21:45 BST 5 September 2018. The bookings could have been made from anywhere, including Australia. See: Credit card info stolen from 380,000 BA direct bookers

Since then British Airways has been working with specialist cyber forensic investigators and Britain’s National Crime Agency to investigate the data theft.

The airline has stated:

“The investigation has shown the hackers may have stolen additional personal data and we are notifying the holders of 77,000 payment cards, not previously notified, that the name, billing address, email address, card payment information, including card number, expiry date and CVV have potentially been compromised, and a further 108,000 without CVV.

“The potentially impacted customers were those only making reward bookings between April 21 and July 28, 2018, and who used a payment card.

Fiendishly cunning! The endless battle between cyber security and online criminals

“While we do not have conclusive evidence that the data was removed from British Airways’ systems, we are taking a prudent approach in notifying potentially affected customers, advising them to contact their bank or card provider as a precaution.”

BA says it has now contacted all customers affected. It now says the original data theft involved the payment card details of 244,000 customers, rather than the 380,000 customers originally thought.  So far it has had no verified cases of fraud.

“We are very sorry that this criminal activity has occurred. As we have been doing, we will reimburse any customers who have suffered financial losses as a direct result of the data theft and we will be offering credit rating monitoring, provided by specialists in the field, to any affected customer who is concerned about an impact to their credit rating.”

Written by Peter Needham