British Airways customers’ financial data stolen in major hack
Image credit: reuters
British Airways (BA) has admitted that its web site was compromised for a 15-day period leading up to last Wednesday and that financial and personal data has been stolen from potentially hundreds of thousands of customers.
Around 380,000 card payments were “compromised”, it said, and many customers will have to cancel their cards to avoid fraudulent payments.
The airline said “criminal activity” had compromised the personal and financial details of customers who made bookings on its website or app from just before 11pm on August 21 until 9.45pm on Wednesday.
BA said it was investigating the vast breach “as a matter of urgency”, while the National Crime Agency and National Cyber Security Centre are also assessing the hack.
BA chairman and chief executive, Alex Cruz, said the carrier was “deeply sorry” for the disruption caused by the criminal activity.
“We take the protection of our customers’ data very seriously,” he said. The airline also apologised to its customers in a full-page ad in British newspaper Metro.
Worried customers rushed to social media and helplines after the airline urged anyone who suspected they may have been affected to contact their bank or credit card provider.
There were reports of banks being inundated with calls, leaving account holders in lengthy queues, while some BA customers said they had to have cards cancelled and reissued as a result.
Under new data protection rules, the airline was obliged to issue a breach notification within 72 hours of it being detected.
Cruz said BA had “hundreds” of people communicating with customers “making sure that we can help to protect that data”. He told the BBC on Friday morning that the attack was “sophisticated” and “malicious”.
“There was a very sophisticated, malicious criminal attack on our website. We became aware initially on that day and we began to work on it. We discovered that something had happened and immediately we began to work,” he said.
“We didn’t know exactly (the) extent of the work, so overnight the teams were trying to figure what was the extent of the attack.”
Rufus Grig, CTO at Maintel, said: “Organisations like BA are strong targets for cyber criminals because they possess vast amounts of high-value personal data that gives hackers high return on investment.
“Yet, every company is a target when it comes to cyber attacks and there only needs to be a single vulnerability to enable a breach. While cyber-criminals will always find new ways of gaining access, there are ways to reduce risk and minimise the loss of data.
“Organisations must use robust IT systems with the latest security systems to tackle this. With the increase in IoT appliances coming onto the now ubiquitous borderless networks, the attraction for hackers to attack will continue to grow and a priority for security teams will be to reduce the time to detect, contain and mitigate breaches.”