Hacker Flies Away With British Airways Customer Data'Personal and Financial Details' Stolen From 380,000 Website and App Transactions
British Airways is warning customers that it suffered a hack attack that compromised up to 380,000 customers' payment cards as well as personal data over a 15-day period. Security experts say all breach victims should immediately contact their credit or debit card provider.
"British Airways is investigating, as a matter of urgency, the theft of customer data from its website, ba.com, and the airline's mobile app," the company says in its data breach notification to customers. "The stolen data did not include travel or passport details."
The breach began at 10:58 p.m. British Standard Time on Aug. 21 and persisted until 9:45 p.m. on Sept. 5, says the airline, which is part of Madrid-based International Airlines Group.
All customers who bought or changed a ticket using the website or mobile app during that timeframe were potentially affected, BA says.
Following in the footsteps of many other data breach victims, Alex Cruz, the CEO and chairman of British Airways, claimed that the attack had been sophisticated. Speaking to the BBC, Cruz apologized for his company having suffered a "sophisticated, malicious criminal attack," and said measures were being put in place to prevent a recurrence.
Cruz said the breach was discovered on Wednesday, after a business partner that monitors its websites alerted the airline. Cruz says the airline immediately began investigating the apparent breach.
"We are deeply sorry for the disruption that this criminal activity has caused. We take the protection of our customers' data very seriously," Cruz says in a statement.
Breach Mitigated, Airline Says
British Airways says the breach has been mitigated and that its website is safe to use again. "The incident has been resolved and all systems are working normally so customers due to travel can check-in online as normal," the airline says.
The airline says it's working with law enforcement agencies to investigate. "We have notified the police and relevant authorities. We are deeply sorry for the disruption that this criminal activity has caused. We take the protection of our customers' data very seriously," the airline says.
British Airways took out a number of full-page advertisements in U.K. newspapers Friday to apologize for the breach.
GDPR Enforcement in Effect
The U.K.'s data protection authority, the Information Commissioner's Office, says it's aware of the breach and waiting for more information. "British Airways has made us aware of an incident and we are making enquiries," the ICO says in a statement.
The ICO enforces the EU's General Data Protection Regulation, which went into full force on May 25. GDPR requires organizations to report some types of breaches to relevant authorities within 72 hours of discovering the breach, as the airline appears to have done.
Organizations that fail to comply with GDPR can face fines of up to 4 percent of an organization's annual global revenue or €20 million ($23 million), whichever is greater. Organizations that fail to comply with GDPR's reporting requirements can also face fines of up to €10 million ($12 million) or 2 percent of annual global revenue.
The U.K.'s National Cyber Security Center, which serves as the country's computer emergency readiness team and is part of the intelligence agency GCHQ , says it's also tracking the breach.
"We are aware of reports of a data breach affecting British Airways," NCSC says in a statement. "We are working with partners to better understand this incident and how it has affected customers."
Airline Directly Notifies All Customers
British Airways says that it notified all affected customers on Thursday night.
"Every customer affected will be fully reimbursed and we will pay for a credit checking service," the airline says. "We take the protection of our customers' data seriously, and are very sorry for the concern that this criminal activity has caused. We will continue to keep our customers updated with the very latest information. We will be contacting customers and will manage any claims on an individual basis."
Consumer rights and product-testing group Which says anyone who might have been affected by the breach should immediately change their British Airways password, as well as anywhere else they may have used the same password (see Why Are We *Still* So Stupid About Passwords?).
"We recommend you choose a unique password that you do not use for any other online account," British Airways says. To change their password, it says users should visit the ba.com homepage and "click the 'Forgotten PIN/Password' link on the top right-hand corner."
If you are concerned you may have been affected by the British Airways data breach you should:— Which? (@WhichUK) September 6, 2018
Change your online passwords
Monitor your bank and online accounts
Be wary of any emails regarding the breach.
Which also recommends customers closely monitor their bank accounts and credit reports, as well as beware of phishing scams pretending to be from British Airways or their bank.
Beyond contacting their bank or credit card issuer, in the U.K., Action Fraud is the contact point for consumers to report fraud to authorities.
String of IT Problems
The website and mobile app breach is one of a number of technology problems that have hit British Airways.
In July, the airline was forced to cancel a number of short-haul flights over a two-day period. It blamed "an issue with a supplier IT system."
In June, the airline canceled 2,000 tickets after an apparent human error led to them being underpriced.
In May 2017, British Airways grounded all of its flights at London's two biggest airports over a bank-holiday weekend after an IT failure led to massive delays (see British Airways Blames Power Surge for Massive Outage).