BA confirms online data breach saw 380,000 customer bank details stolen

A massive online breach at British Airways left hundreds of thousands of customers with their bank data stolen. The airline confirmed last night that 380,000 payment card details were “compromised” in the August peak. BA is urgently investigating the customer … Continue reading →

A massive online breach at British Airways left hundreds of thousands of customers with their bank data stolen.

The airline confirmed last night that 380,000 payment card details were “compromised” in the August peak.

BA is urgently investigating the customer data theft from the ba.com website and the airline’s mobile app.

Hackers targeted the carrier over more than two weeks with personal and financial details of customers making online bookings stolen.

However, BA insisted that the stolen data did not include travel or passport details.

Police and relevant authorities were called in once the breach was discovered on Wednesday evening.

The airline said: “British Airways is communicating with affected customers and we advise any customers who believe they may have been affected by this incident to contact their banks or credit card providers and follow their recommended advice.”

The theft occurred between 10.58pm on August 21 and 9.45pm on September 5.

BA said it was investigating “as a matter of urgency”.

“The breach has been resolved and our website is working normally,” the airline added.

Affected customers were contacted last night and the airline took out full page adverts in today’s national newspapers to apologise for the breach.

BA chairman and chief executive Alex Cruz described the attack as “malicious”.

And he told BBC Breakfast this morning: “This was a very sophisticated criminal attack on ba.com”.

He added that the airline was convinced that the breach had been neutralised.

Cruz said earlier: “We are deeply sorry for the disruption that this criminal activity has caused. We take the protection of our customers’ data very seriously.”

The airline said it would provide further updates “when appropriate”.

Paul Farrington, Head of EMEA at app security company CA Veracode, called for more consistency in security and app performance in the airline industry:

“The British Airways breach is just another example of how, as the amount of personal data held by organisations continues to grow, hackers are finding more sophisticated ways to gain access to this data and use it to make a profit.

“Furthermore with GDPR now in full force the board at BA will have to consider their exposure to regulatory fines, especially when it took 16 days for the breach to be detected, and if the financial losses will outstrip what it would have cost to prevent the breach in the first place.

“IT issues are not only affecting BA, but also in the wider airline industry. Airlines have a duty to keep the planes in the air, and the majority of investment goes into that. However, recent outages show investment should also be directed at technology.

“As airlines become ever more dependent on software, this creates a greater surface for hackers to attack and so it is no surprise that breaches of this scale are becoming commonplace.

“Customers are right to be angry. If UK businesses want to avoid becoming the next victim of a breach it is crucial that they take significant steps to secure their software, web applications and networks to ensure that they aren’t their weakest points of attack.”

The National Crime Agency and National Cyber Security Centre confirmed they are assessing the incident.

The NCA said: “We are aware of a data breach affecting British Airways and are working with partners to assess the best course of action.”

Consumer group Which? said people concerned they could be at risk should consider changing their online passwords, monitor bank and other online accounts and be wary that fraudsters may refer to the breach in scam emails.

Alex Neill, Which? managing director of home products and services, said: “British Airways customers will be concerned to hear about this data breach.

“It is now vital that the company moves quickly to ensure those affected get clear information about what has happened and what steps they should take to protect themselves.

“Anyone concerned they could be at risk of fraud should consider changing their online passwords, monitor bank and other online accounts and be wary of emails regarding the breach as scammers may try and take advantage of it.”

The latest incident follows dozens of BA flights being cancelled at Heathrow due to IT issues in July and more than 2,000 passengers had tickets cancelled a month earlier because ey were too cheap.

An IT failure in over the late May bank holiday in 2017 forced BA to cancel all flights from Heathrow and Gatwick ruining the travel plans of thousands of passengers