BA PASSENGER ACCOUNTS ‘RAIDED’ Customers say hackers are already siphoning off cash after data breach – as airline faces £500m fine
BRITISH Airways passengers last night claimed their bank accounts were already being raided by hackers as it emerged the embattled airline faces a £500million fine.
Customers complained hundreds of pounds had vanished after a major security breach, which saw card details and personal information of nearly 400,000 customers stolen by cyber criminals.
The airline lurched into crisis mode yet again yesterday as victims of the cyber attack rushed to cancel their cards and trawl through their bank accounts for suspicious transactions.
Many woke up to the news that their card details and personal information had been stolen after an email from BA was sent to them in the early hours.
In another shambolic day for Britain’s flagship carrier:
BA’s boss Alex Cruz confirmed criminals had everything they need to commit fraud, including card numbers and security codes;
One customer claimed £1,600 had been stolen from her account;
A cyber crime expert said ‘Christmas has come early’ for fraudsters and predicted customers’ details could be sold for millions of pounds on the ‘dark web’;
Customers were forced to wait on hold or were unable to get through as they desperately tried to contact their banks;
It emerged the airline could be fined up to £500million for the cyber breach, as the Information Commissioner’s Office confirmed it would launch an investigation;
BA came under fire for taking 15 days to spot the breach.
There were also calls for top bosses to quit. David Bannerman,
From yesterday’s Mail a Tory MEP, wrote on Twitter: ‘British Airways is a lion led by donkeys. Is this yet another example of cutting costs – like computer meltdown and abandoning meals onboard – to try to be an expensive no thrills airline?
‘The strategy and leadership need to be changed urgently.’
BA slipped out the news on Thursday evening that the card details and personal information of around 380,000 customers had been stolen by cyber criminals.
It revealed fraudsters had siphoned off details of customers over 15 days – between 10.58pm on August 21 and September 5 – before BA finally noticed and shut them down. The hack has affected customers who made bookings or other purchases during this time.
As customers complained of agonising delays to get through to their bank, some reported they had been too late to prevent fraudsters from raiding their savings.
One claimed to have had £1,600 stolen from her account, while her friend had seen a number of suspicious transactions apparently made to the airline’s website.
A British Airways Gold member based in Milan, who did not wish to be named, said there had been fraudulent activity on his American Express credit card, which he had used to book a BA flight two weeks ago.
He said he found it ‘bizarre’ to find out about the hack through social media rather than receiving an email from the airline. ‘I’m astonished, this should not have happened with a worldwide group like British Airways,’ he said.
Last night BA confirmed it had received ‘unverified reports’ of fraud-hit customers. But chief executive Alex Cruz, who apologised for the debacle, vowed no customers would be ‘left out of pocket’ as a result of the ‘ very sophisticated, malicious criminal attack’. BA warned of scammers calling customers pretending to be from the airline and asking for card details.
As well as sustaining another blow to its reputation, experts warned the airline could be fined £500million over the data breach.
It is the first major breach since tough EU laws were introduced to crack down on firms that failed to protect the personal details of the public. Companies found to have been negligent with such data can now be hit with a penalty of up to £18million or 4 per cent of global revenue – whichever is higher.
The previous maximum fine was only £500,000.
BA racked up global sales of £12.2billion last year, which means it could be facing a penalty of up to £490million. However, lawyers suggested the fine could reach up to £900million under the new General Data Protection Regulation if it is based on the global sales of BA’s parent company IAG.
The prospect of heavy fines and a hefty compensation bill for customers has unnerved shareholders in IAG. Shares tumbled 4 per cent yesterday morning before recovering during the day. The National Crime Agency, which is leading the criminal investigation into the hack, warned those affected to be on their guard.
In a statement, it said: ‘We know that “opportunist” criminals often use incidents like this to conduct secondary fraud attacks.
‘Anyone who thinks they may be affected should remain vigilant of potential fraudsters seeking access to personal details.’
Simon Migliano, head of research and cyber security expert at Top10VPN.com, said: ‘This serious security breach at BA could be sending the dark web into a frenzy. Financial information is extremely valuable and highly desirable and credit card details can sell for £56.50 each. This means the value of the 380,000 hacked accounts on the dark web could be as much as £21.5million. And it won’t take long for word to get around that Christmas has come early.’
Lewis Henderson of security software firm Glasswall Solutions said: ‘It’s entirely possible that the British Airways attackers were siphoning off significant quantities of sensitive data for weeks or months.’
He also questioned how fraudsters managed to get hold of the crucial security code on the back of bank cards, which are usually stored separately from bank numbers.
A BA spokesman said: ‘We understand that this incident will cause concern and inconvenience. We have contacted all affected customers to say sorry, and we will continue to update them in the coming days.’
380,000 BANK CARDS HACKED FROM BA