BA apologies for hacked credit card details
British Airways apologised on Friday after the credit card details of hundreds of thousands of its customers were stolen in the most serious attack yet on its website and app.
The airline discovered on Wednesday that bookings made between August 21 and September 5 had been infiltrated in a “very sophisticated, malicious criminal” attack, the airlines chairman and chief executive Alex Cruz said.
The company immediately contacted customers when the extent of the breach became clear.
About 380,000 card payments were compromised with hackers obtaining names, street and email addresses, credit card numbers, expiry dates and security codes – enough information to steal from accounts.
Shares in British Airways’ parent, International Airlines Group, were down 2 per cent in afternoon trading on Friday.
Mr Cruz said the company was deeply sorry for the disruption caused by the attack.
He said the attackers had not broken the airline’s encryption but did not explain how they had obtained the data.
“There were other methods, very sophisticated efforts, by criminals in obtaining the data,” Mr Cruz told the BBC.
IT security company Avast said that the attackers had probably targeted a gateway between the airline and a payment processor.
“Quite often, when it’s just a hack of a database, it is hard to identify when something has been compromised,” Avast’s consumer security expert Pete Turner said.
“This feels much more like a transaction-type attack, where data is moving about within the system.”
IAG said the data breach had been resolved. The website was now working normally, and that no travel or passport details were stolen.