BA customers’ details stolen in massive hack
Information from hundreds of thousands of customers taken in two-week attack on ‘outsourced’ IT system
British Airways has called in police and launched an “urgent” investigation after the financial details of hundreds of thousands of customers were stolen in a hack. The airline said the data breach continued for almost two weeks, between Aug 21 and Wednesday this week, with 380,000 payments compromised. The stolen information did not include travel or passport details. Customers who made bookings via Ba.com or the airline’s app are being urged to contact banks and credit card providers.
BRITISH AIRWAYS has called in police and launched an investigation after hundreds of thousands of customers’ financial details were stolen in a hack.
The airline said the data breach continued for almost two weeks, between Aug 21 and Sept 5, with 380,000 payments compromised. Stolen data did not include travel or passport details.
Customers who made bookings via Ba.com or its app are being urged to contact banks and credit card providers.
Alex Cruz, BA’S chief, said: “We are deeply sorry for the disruption that this criminal activity has caused. We take the protection of customer data very seriously.” But passengers last night raised concerns that the airline had not contacted them directly, instead issuing a statement yesterday evening.
Daniel Willis, 34, from Milton Keynes, who booked a flight on Monday, told The Daily Telegraph: “I saw the tweet, that was the first I knew of it. This is my first involvement with BA since they left me stranded with my wife and two-year-old daughter for a few days in Düsseldorf in December – again with no communication. I’ve just had to cancel the card I used. They’re a shambles.” Stephanie Jowers, from New York, who works in tech, said she contacted BA, just hours before the hack was announced on Twitter, with concerns about charges on her account, but was not informed that it may have been compromised.
She said: “I was unclear about a fee charged referencing my booking. The rep told me I would be refunded within 24 hours. I asked repeatedly for an explanation but none was given.”
She had booked flights during the window of time the airline said its systems had been affected, and the charge had appeared a week after she paid. When she contacted her bank following BA’S announcement, the bank advised her to cancel her card.
The National Crime Agency said it was “working with partners to assess the best course of action”.
Under GDPR rules, companies must inform regulators within 72 hours of becoming aware of a data breach. “If the breach is likely to result in a high risk of adversely affecting individuals’ rights and freedoms, you must also inform those individuals without undue delay,” state guidelines from the Information Commissioner’s Office (ICO), the independent regulator that upholds information rights in Britain.
The ICO said it had been alerted to the British Airways hack. A spokesman said it would be “making inquiries”, but declined to comment further.
The data breach is the latest in a string to hit the airline sector. Last week, Air Canada confirmed a data breach affecting 20,000 customers.
In July, Thomas Cook admitted names, emails and flight details had been accessed, although the travel and airline company insisted fewer than 100 bookings had been compromised.
In May, the US airline Delta admitted there had been two breaches in September and October last year.
Rob Burgess, who edits the frequent flier website headforpoints.com, said: “Data breaches are part and parcel of the world we now live in, and criminal activity is getting ever more sophisticated.
“Unfortunately, this is likely to be another PR disaster for British Airways, especially as it includes tickets bought in their September sale, which is being widely promoted at the moment.
“Following on from the IT meltdown last year, it seems that the decision to outsource the majority of BA’S IT to India is yet again coming back to haunt them. The airline has actually been working hard and succeeding of late, to reverse many of the recent cuts to inflight services in an attempt to improve its public image. Sadly, this data breach is likely to knock back its efforts.”