British Airways admits ‘nation’s biggest’ cyber attack affected extra 185,000 passengers
NEARLY 200,000 British Airways passengers may have had their personal data stolen by hackers last month but are only being told seven weeks after the incident, the airline has admitted.
BA initially failed to realise the extent of the “sophisticated and malicious” cyber attack, which it thought had started in August and lasted two weeks, but actually began at least four months earlier.
On Sept 7, the airline emailed 380,000 passengers warning them that their data, including credit card details, may have been stolen by criminals, leaving them vulnerable to fraud.
Alex Cruz, the chief executive, stated at the time that BA had “gone through every single booking” and said the number of passengers impacted would not rise. But yesterday the airline revealed it had discovered that a further 185,000 BA rewards customers who booked flights between April 21 and July 28 this year were also affected.
Experts said that even before the latest disclosure, the case was one of the biggest breaches of consumer data in the UK. The affected customers would receive an email from the airline by the end of today, it said.
Under the new General Data Protection Regulation introduced in May, companies can be fined if they fail to keep customers’ data safe, or notify them quickly if information may have been compromised.
The airline revealed yesterday that its ongoing investigation into the cyber attack had “recently” found that two groups of customers not previously notified have been affected.
Details from 77,000 payment cards, including account numbers, expiry dates and card verification value (CVV) information have been accessed, it said.
A further 108,000 people’s personal details without CVVS have also been compromised.
Chun Wong, of Hodge Jones and Allen which specialises in data breach cases, said: “It is crucial that huge companies like BA have the necessary cyber security in place to ensure this type of breach does not happen again.
“If consumers can show a material loss as a result of the breach they may be able to take legal action against British Airways.”
The Information Commissioner’s Office, Britain’s data regulator, has already opened an investigation into the September breach.