British Airways reveals that data hack may have affected 185,000 additional customers
Image credit: reuters
British Airways (BA) has admitted that an additional 185,000 customers may have been affected by a massive cyber attack on its website earlier this year.
In September 2018, the airline said that its web site had been compromised for a 15-day period and that financial and personal data had been stolen from potentially hundreds of thousands of customers.
The group said in a stock exchange announcement yesterday that as part of an investigation into a cyber-breach that took place earlier this year, it is contacting two groups of customers not previously notified.
This includes the holders of 77,000 payment cards whose name, billing address, email address, card payment information - including card number, expiry date and card verifiable certificate (CVC) - have potentially been compromised. The personal details of a further 108,000 people, albeit without the CVC numbers, have also been compromised.
These customers are all believed to have been those who made reward bookings between 21 April and 28 July 2018 and who used a payment card.
“Investigation into a cyber attack at British Airways is ongoing,” Britain’s Information Commissioner’s Office said in a statement.
BA also revised down its original estimate of 380,000 cards compromised in the September cyber attack, saying only 244,000 of those were affected.
This takes the total number of payment cards potentially affected by the hack to 429,000.
“While British Airways does not have conclusive evidence that the data was removed from its systems, it is taking a prudent approach in notifying potentially affected customers, advising them to contact their bank or card provider as a precaution,” BA owner IAG said.
“Since the announcement on September 6 2018, British Airways can confirm that it has had no verified cases of fraud.”
BA is facing a multimillion-pound fine as a result of the data breach, which the airline’s chief executive previously described as a “malicious criminal attack”.
The data breach took place after the introduction of the new Data Protection Act, which includes the provisions of the new European General Data Protection Regulation (GDPR).
Under the new regulations, the maximum penalty for a company hit with a data breach is a fine of either £17m or 4 per cent of global turnover, whichever is greater.
In the year ended December 31 2017, BA’s total revenue was £12.2bn, meaning the company could face a fine of around £500m if the ICO takes action.